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1 OVERVIEW 

FinSpy is designed to help Law Enforcement and Intelligence Agencies to remotely monitor computer 
systems and get full access to: 

■ Online Communication: Skype, Messengers, VoIP, E-Mail, Browsing and more 

■ Internet Activity: Discussion Boards, Blogs, File-Sharing and more 

■ Stored Data: Remote access to hard-disk, deleted files, crypto containers and more 

■ Surveillance Devices: Integrated webcams, microphones and more 

■ Location: Trace computer system and monitor locations 




FinSpy 

FinSpy Mobile 
FinFly 
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2.1 FinSpy Agent- Installation 

To install FinSpy Agent software, run the setup and follow the steps as shown. Click Install and Finish. No 
further settings are necessary. 



Jsjl FinSpy Agent Setup 




Welcome to the FinSpy Agent Setup 
Wizard 



The Setup Wizard allows you to change the way FinSpy 
Agent features are installed on your computer or to remove 
it from your computer. Click Next to continue or Cancel to 
exit the Setup Wizard. 



Back |^ 



Next 



Cancel 



Confirm the license agreement. 



FinSpy Agent Setup 

End-User License Agreement 

Please read the following license agreement carefully 




CUSTOMER SOFTWARE LICENCE 

DO NOT NAVIGATE BEYOND THIS PAGE TO OPEN THE FIN FISHER 
APPLICATION UNTIL YOU HAVE CONFIRMED AS INDICATED BELOW 
THAT HAVE READ AND ACCEPTED ALL THE TERMS OF THIS LICENCE 
(WHICH ARE AVAILABLE WITH THE LINK BELOW) AND WISH TO 
BECOME THE LICENSEE OF THE SOFTWARE. ACCEPTANCE SHALL BIND 
YOU AND ALL OF YOUR EMPLOYEES TO THE TERMS OF THE UCENCE. 
YOUR OPENING OF THIS APPUCATION WILL BE DEEMED TO BE YOUR 
ACCEPTANCE OF THE FOLLOWING TERMS. 



□ 



171 p a ccept th e :e"~s - ve .:ense Agre ements 



Print 



Back 



Next 



Cancel 
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Insert the destination folder for the installation. 




Install FinSpy Agent to: 



C: program Files finSpyAgent\ 



Change, , , 



Back Next Cancel 



J^jJ FinSpy Agent Setup 


SI H @ 




Completed the FinSpy Agent Setup 




Wizard 




Click the Finish button to exit the Setup Wizard, 




















Back Finish Cancel 
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2.1.1 FinSpy Agent - Additional Software 

To operate a computer as a FinSpy Agent the following preparations must be done. 

2.1.1.1 Microsoft .NET Framework 

The Microsoft .NET Framework is a software framework that can be installed on computers running 
Microsoft Windows operating systems. It is necessary to have the .NET Framework >= 3.5 SP1 installed 
to run the FinSpy Agent software. 

The framework can be downloaded and installed from: 

http://msdn.microsoft.com/en-us/netframework/default.aspx 

2.1.1.2 OGG Theora Codec 

Theora is a free and open video compression format. It must be installed to play Audio and Video. 
The codec can be downloaded and installed from: 



http://www.xiph.org/dshow/ 



the xiph open source community 



XIPH.ORG VORBIS THEORA ICECAST SPEEX CELT FLAG XSPF 



xiph org 



Home 
News 
Downloads 

Contact 
History 
Bugs 



Support us 



Directshow Filters for Ogg Vorbis, Speex, Theora, FLAG, and WebM 

The aim of this project is to provide the most complete implementation of the Xiph.org codecs for Windows and 
DirectShow, This includes decoders and encoders for all the Xiph.org formats as well as Annodex , It is released 
under a BSD license, so they can be used by both open-source and commercial applications. 

WebM support is based on versioned snapshots from WebM Project . 
News 

Version 0.85.17766 

19 December, 2010 

Updates VPS, Theora,, and, Vorbis codecs, ActiveX video player gains "controls" attribute support. Various bugfixes. 
Fore more information see the News page. 



iDovu 



Downloads 

Windows 32/64-bit Installer: openeodecs 0,85. 17766, exe 2,53MB 



iiinujWb i'ijuiiu j.u ■ j.j lju ujinayu. 

For more information see the Downloads page. 



J 



Just follow the instructions of the installation steps. No further changes need to be done. All Audio and 
Video can now be played within Windows Media Player. 
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2.1.1.3 Disable AutoPlay 

AutoPlay feature enable Windows to pop up the default options 
when a removable drives like USB flash drive or CD ROM is inserted. 

AutoPlay feature is, by default, disabled in Windows 7 due to security 
reasons. To check if Autorun is disabled on the installation follow the 
steps. 

To disable Autorun: 

1. Go to Control Panel\Hardware and Sound\AutoPlay. 

2. Uncheck Use AutoPlay for all media and devices 

3. Click Save. 



ijj AutoPlay 



p-i Removable Disk (G:) 

Q Always do this for pictures: 

Pictures options 

' *|j Import pictures and videos 
TV I J using Windows 



General options 

Open folder to view files 
\ using Windows Explorer 

-yj:* Use this drive for backup 
tJv' using Windows Backup 

T'L$ Speed up my system 
a^^* using Windows ReadyBoost 

View mere AutoPlay cptiens in Centre I Panel 




^TTaHTappeTT^Wv^T^a^nsert each type of media or device 

Q Use AutoPlay for all media and devices 




Med 




©Audio CD 

Enhanced audio CD 

4* DVD movie 

>^ Enhanced DVD movie 

ifSf Software and games 

Picture: 
[Hj Video files 
£ Audio files 

I 5 Blank CD 
: * Blank DVD 

Blank BD 
.ST, Mixed content 



Choose a default 



Choose a default 



Choose a default 



Choose a default 



" Ask me every time 



Choose a default 



Choose a default 



Choose a default 



Choose a default 



Choose a default 



Choose a default 



Choose a default 
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2.1.1.4 Microsoft Office 

To be able to use the FinSpy Agent Office Document infection it is mandatory to change the Trust Center 
settings within Microsoft Word 2003 or 2007. 

After clicking on the Ribbon of word there is "Word Options" (1) in below corner which will open a new 
dialog. On the left side is the option "Trust Center" (2) and "Trust Center Settings" (3). Again, a dialog 
will open. On "Macro settings" (4) and "Trust access to the VBA project object model" (5) must be 
checked! If not, FinSpy Agent will not be able to infect Microsoft Word (.doc) documents. 



Q New 


Recent Documents 




Open 




y 








LOU Print * 




Prepare ► 








Publish * 




_T 


1 




| 1^ Word Optjorts ^< EMitWord 



Popular 
Display 
Proofing 

Advanced 

Add -In is 



3 QD 



Help keep your documents safe and your computer secure and healthy, 



Protecting your privacy 



Show the Micro;-:." ■:. :■ ■:■ .=■■:. 

Microsoft Office Online privacy statement 

~u-.1rmf i ttf-w-nvn. e Impr-v.-rmrnl fif.jnm 



Securrty & more 

Learn more about protecting your privacy and security from Microsoft Office Online, 
: : ;■ : , r: : ■•: ■. . •■ 



Microsoft Off ce Word Trust Center 




Trusted Publisher 
Trusted Location! 



Message Bar 
Privacy Options 



Macro Settings 


For macros in documents 


not 


n a trusted location: 


O Disable ail macros 




aut notification 


■a Disable all macros 




notification 


Disable all macro: 


except digitally signed macros 


Q Enable all macros 


not 


ecommended; potentially dangerous code can run] 


Developer Mac^^ejtjn^^^^ 



s to the VBA project object mode 



>5 
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2.2 FinSpy Agent- User Manual 



2.2.1 Quick Start and Overview 

This chapter describes the handling and layout of FinSpy Agent user interface. To start 
the FinSpy Agent there will be an icon on the Desktop which needs to be clicked and 
which will start the main interface. 



FinSpy Agent 



FinSpy Agent 




1. Username and password 

2. Address and port of FinSpy Master to which the FinSpy Agent connects 
This data will be remembered after the first successful login 

3. Logoff from the FinSpy Master 
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After a successful login the main interface will open. It shows the main interface of the FinSpy Agent. 



r 



- x 



■ Tc r :ie: _i:: 

| Data Analysis 

■ C =a:e "arget 




H Logoff [a ex) 
FinSpy Agent Vernon 2.30 



| NameT 


|M |T | Computer 


User 


Country 


City 


j Global IP 


OS 


OS Details 




Version 


'Install Mode 




On line 


FS-ZJO 


^ ' ALEXTARGET 


SYSTEM 


£Z United Arab Em 


Dubai 


94.2D0.250.24 




Windows XP Servi 


e Pack 3 


2.30 


Kernel Mode 




O v Analyse Data 


Live Session f|~^ Download Schedule 


. J<_ Remove Infection 


















- \ Download No 


VX, Configuration 4 Alert 5ettings 


O u P date 




















Evidence Prate 


ction i ■£) Disconnect 
























Lambada 


• TAINA-PC 


Tana 




P eta ling Jaya 


175. 144.4E. 73 




Windows Vista Serv 


ce Packl 


2.20 


Use 


Mode 




Med 


■ WSS3765 


SYSTEM 


II Mexico 


Mexico 


B.14.252.221 




Windows XP Servi c 


Pack3 


2.20 


Kernel Mode 




tashibaNBlOO (den 


oMUq > ' LH-EEEPC 


SYSTEM 


LAN 




192.1S8.C.51 




Windows XP Sen* 


Pack 3 


2.30 


MBR 




-. 






- WSB3765 


SYSTEM 


^ Germany 


Hanover 


2J3.6U5.86 




Windows XP Servic 


Pack 3 


2.20 


Use! 


Mode 




Bako HQ 


> 4 ACER-36[H)&D61CF 


SYSTEM 


E 1 Nigeria 




196,46.245,21 




Wndows XP Servic 


Pack3 


2.20 


fierr 








* • JKTRZ5GH5020C2M 


Public 


"^Indonesia 




202.77.11&.2 




Windows XP Servic 


Pack 2 


2.15 


U$f 


Mode 




egy-test3 


* JOHN_SMTTH 


SYSTEM 


H Germany 




195,16.80,12 




Windows XP Servic 


Pack3 


2.17 




Mode 




ELEPHANT 


' WSB3765 


SYSTEM 


-jii United Kingdom 


Saint Albans 


92,2,203,122 




Wndows XP Servic 


Pack 3 


2.20 








Pretoria Test2 


.. □ YDUR-6A27BCA44F 


SYSTEM 


►a South Africa 


Pretoria 


4 J _.ly4£.ias 




Windows XP Servic 


Pack 3 


2.15 


Use 


Mode 




test in do 


* FROWTDESK 


SYSTEM 


■^Endorvesia 




11B.9F3.65. 11 




Wndows Vista Serv 


ce Pack 2 


2.20 








Toshiba m 100 


X - LH-MM 


SYSTEM 




Petaling Jaya 


175.144.46.73. 




Wndows XP Servic 


Pack 3 


220 


Ker' 






Toshiba NB1D0 


O WS83765 


SYSTEM 






175,137. 114131 




Wndows XP Servic 


Pack 3 


230 


Use 


Mode 




Trial KL 


^^^^^^^^^^ 


SYSTEM 




Kuala Lumpur 


60.54.172.130 




Wndows Vista Serv 


ce Packl 


220 


Use 


Mode 






■■ ' WSB3765 




.Jj United Kingdom 


Moretonln Mars 


S4.92.S1.241 




Wndows XP Servic 


Pack 3 


220 


Use! 


Mode 







Name 


Description 


Data Analysis 


Monitors and analyzes data of a selected FinSpy Target or all FinSpy Targets. 


Create Target 


It will open a wizard which guides easily through the creation of a FinSpy Target. 


Configuration 


Basic Settings for the FinSpy Agent and FinSpy Master can be defined. 


Show Logfiles 


Gives the possibility of viewing the FinSpy Master system logfiles. 


Agent List 


Information about FinSpy users, their user rights, logins and current connections. 


License Information 


Displays information regarding the license. 


About 


Shows the FinSpy Agent version and software agreement. 


Online Help 


Connects to online help on the Gamma Group homepage via internet. 
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2.2.2 Target List 

The Target List contains all actions to manage data and FinSpy Infection of a FinSpy Target. All FinSpy 
Targets are listed in two tables under the following categories: 



Target List 



1 Version 1 Install Mode 



FS-2.30 

Lambada 

Med 

toshiba NfllOO (demo MUQ 

Offline 



ALEXJARGET SYSTEM IU United Arab Emir Dubai 94.200.250.24 /' Windows XP Service Pack 3 2.30 Kernel Mode 

TAINA-PC Taina '^Malaysia PetaMng Jaya 175.144.4S.73 f Windows Vista Service Pacfcl 220 User Mode 

WSS3765 SYSTEM GlMexico Mexico 3.14.252.221 !? Windows XP Service Pack 3 2.20 Kernel Mode 

LH-EEEPC SYSTEM LAN 192,168.0,51 B Windows XP Service Pack 3 230 MBR 









WS83765 


SYSTEM 


™l Germany 


Hanover 


213.61.75.86 




Windows XP Service Pack 3 


2.20 


User Mode 


Bako HQ 


'k 


0 


AC E R-3 6 DO BD61CF 


SYSTEM 


[5 1 Nigeria 


Lagos 


196.46.245.21 


ir 


Windows XP Service Pack 3 


2.20 


Kernel Mode 


demo 






JKTRZSGH5Q20C2M 


Public 


^Indonesia 


Jakarta 


202,77.11&.2 


ft 


Windows XP Service Pack 2 


2.15 


User Mode 


egy-test3 






JOHN_SrVfITH 


SYSTEM 


^Germany 


Leipzig 


195.16.80.12 




Windows XP Service Pack 3 


2.17 


User Mode 


ELEPHANT 






WSB3765 


SYSTEM 


United Kjngdor 


Saint Albans 


92.2.203.122 




Windows XP Service Pack 3 


2.20 


Kernel Mode 


Pretoria Test 2 






YOUR-6A27BCA44F 


SYSTEM 


Sci-th Africa 


Pretoria 


4119.4S.196 




Windows XP Service Pack 3 


2.15 


User Mode 


test indo 






FRONTDESK 


SYSTEM 


'^Indonesia 




118,99.65.11 


a 


Windows Vista Service Padfe 2 


220 


Kernel Mode 


Toshiba NB 100 






LH-MEM 


SYSTEM 


IHMalaysia, 


PetaSing Jaya 


175.144.4&.73 


a 


Windows XP Service Pack 3 


2.20 


Kernel Mode 


Toshiba NB 100 




□ 


WSB3765 


SYSTEM 


(■^Malaysia 




175.137.114.131 


9 


Windows XP Service Pack 3 


2.20 


User Mode 



•/ Nar 
| ^ Data on Master 
Data c-n Tar;ie: 
UID 

* Computer 
<* User 

Country 
' v- City 

* Global IP 
Local IP 

* OS 

* OS Details 
Target Time 
T r; Zone 
Alarm 

v Version 
•/ Install Mode 



The following information of infected FinSpy Targets is available: 



Name 


Description 


Name 


Name of FinSpy Installer Package (changeable after FinSpy Infection) 


M (Data on Master) 


New downloaded data available on FinSpy Master 


T (Data on Target) 


New data available on FinSpy Target (data is ready to download) 


UID 


FinSpy Target Unique Identifier 


Computer 


System Name of Target System 


User 


Username under which the FinSpy Infection operates 


Country 


Country in which the FinSpy Target is located (detected by public IP) 


City 


City where the FinSpy Target is located (detected by public IP) 


Global IP 


Public IP address of the FinSpy Target 
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Local IP 


IP address of the FinSpy Target System 


OS 


Icon representing the Operating System running on the FinSpy Target machine 


OS Details 


Operating System including Service Pack which runs on the FinSpy Target machine 


Target Time 


FinSpy Target local time 


Time Zone 


FinSpy Target time zone and Daylight Saving Indicator 


Alarm 


Indicator which shows if an Alert was set 


Version 


Software Version of the FinSpy Target 


Install Mode 


This indicates if the FinSpy Target is installed in 

• MBR (Master Boot Record) 

• Kernel Mode (as Administrator) 

• User Mode 


License 


Shows the License ID of the FinSpy Target 



Online: List of FinSpy Targets connected to the internet and FinSpy Master 

Offline: List of FinSpy Targets currently not connected to Internet and FinSpy Master 

Archived: List of FinSpy Targets not infected anymore 

Clicking on a specific target opens all possible actions. Available actions depend on the status of the 
FinSpy Target (offline/online). 

Right-Clicking on any column header allows the user to choose which columns shall be displayed. 



Exclusively supplied to and authorized use by ooiice, intelligence, security, and other government agencies 



FinSpy / User Manual 

19 



2.2.2.1 Target List - Online 



Qniine 




The possible actions of an online target are: 



Name 


Description 


Analyse Data 


Analyzes data which is already downloaded and available on the FinSpy Master 


Visualize Data 


Shows the recordings on a visual graph 


Evidence Protection 


Enables checking of Activity Logging and proofing evidence 


Configuration 


Management of the FinSpy Target 


Live Session 


Opens a live session to monitor a FinSpy Target live 


Update 


Will update the FinSpy Target Core and all the modules. 


Remove Infection 


Removes the FinSpy Infection from the FinSpy Target 


Disconnect 


Disconnect from the FinSpy Target 



Exclusively suppled to and authojijecf use by oolice, intelligence, security, and other government ager.oes 



FinSpy / User Manual 



20 



2.2.2.2 Target List - Offline 

Alex FinSpy 3.00 
O Analyse Data 



WOOT 

I Visualize Data 



SYSTEM 

Evidence Protection 



Configuration 




Possible actions for an infected offline target. An offline target still collects data locally, which can be 
downloaded any time the FinSpy Target goes online. 



Name 


Description 


Analyse Data 


Analyzes data which is already downloaded and available on the FinSpy Master 


Visualize Data 


Shows the recordings on a visual graph 


Evidence Protection 


Enables checking of Activity Logging and proofing evidence 


Configuration 


Management of the FinSpy Target - even offline 


Remove Infection 


Removes the FinSpy Infection from the FinSpy Target 



2.2.2.3 Target List - Archived 

Archived 



demotest 
O 



Analyse Data 



' Remove Data 



1 uDuntuxb4 test 
| Visualize Data Evidence Protection 



Possible actions for a FinSpy target, which is no longer infected. The recorded data is still persistent on 
the FinSpy Master but the FinSpy target is not infected anymore. 



Name 


Description 


Analyse Data 


Analyzes data which is already downloaded and available on the FinSpy Master 
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Visualize Data 


Shows the recordings on a visual graph 


Evidence Protection 


Enables checking of Activity Logging and proofing evidence 


Remove Data 


Removes the recorded data from the FinSpy Master 



2.2.2.4 Target List - Target Licensing 

The number of FinSpy Targets which can be monitored on the system is part of the license information 
which is imported on the FinSpy Master during the installation. 



After infection, the FinSpy Target has no associated license and all its collecting data features are 
disabled. The FinSpy Master will allocate a license to the newly infected FinSpy Target, if available. 

If there is no license available, the FinSpy Agent can still see the FinSpy Target in the Target List and can 
only work limited with it until an existing infection is removed. 

Previously gathered data can still be analyzed. 

Once the license is installed on the FinSpy Target all the features become available and the user gains 
full control over the FinSpy Target. 

If all the licenses are used, the new infected FinSpy Targets will be shown as disabled until a new license 
is available. 

momo-test - 9 V1S7A-SP2-X86 SYSTEM LAN 

0^ Analyse Data Evidence Protection Visualize Data (Beta) ..pc Remove Infection 

Target Actions are disabled due to licensing limitation. 
For more information please refer to the user manual, 

To free a license, an existing infection has to be removed from a licensed FinSpy Target. The infection 
can be removed immediately from an online FinSpy Target or can be scheduled for removal from an 
offline FinSpy Target. Either way the license will be freed immediately and allocated to an unlicensed 
target. 
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2.2.2.5 Target List - Recorded Data Availability 

A star (1) indicates, that there is new "Data on Master" available. 
This means, new data was downloaded from the FinSpy Target to 
FinSpy Master. 

A bullet (2) indicates, there is new "Data on Target" available. This 
means, there is new recorded data available on the FinSpy Target 
(e.g. Keylogger recordings, Skype recordings, etc.) which is not 
transferred to the FinSpy Master, yet. 





22 1 


Target list 




IDA 


|M 1 T 1 Computer 


Om'iVie 


demo MUC v2.20 


> LH-EEEPC 


demo 


C'U JKTRZSGH5020C2M 


Offline 1 


Trial KL 


VT < WS-SJ-2 


Toshiba NB 100 


WS83765 


Toshiba NB 100 


f 9 J.H-MINI 


Test SJ 


2 1 WS-SJ-1 
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2.2.3 Analyse Data 

Analyse Data gives the possibility of showing all the recorded data which was transferred to the FinSpy 
Master. The recorded data can be viewed, deleted or exported. "Analyze Data" will show a list of all data 
recorded of the selected FinSpy Target. 



Online 



Alex FinSpy 3.00 



WOOT SYSTEM Unknown 

| Visualize Data ^ v '^ ence Pfotertian 



Unknown 




All the data of the selected FinSpy Target is displayed as a list. All new entries in the list are displayed 
with bold characters. This indicates that the data was not processed yet. Once the data is viewed or 
exported, the data will not be displayed in bold anymore. 



Target List Target #1123 - win7 [Analyse Data) 

Choose Target Choos-e Module 



Start Date 



End Date 





All Modules 


Iv 


1/13/2010 IfTsI 1 4/8/2010 ||7sl 




[ T Advanced options 


w~\ ■ - 1 t w I ib ■ i it r-i 


C" 1 A "J 


] 1 


Description 1 1 T | Name UJU 


Size | Acquired 


1 



Screen Recording 
\^ Screen Recording 




Target #1123 - win7 0icAfiFEE129 44.1 KB 
Target #1123 - win7 0icAfiFEE129 44.2 KB 



2010-03-22 
2010-03-22 



$ Screen Recordir 



1? 



Target: 0kA.6FEE129 
Description: Screen Recorr 
Acquired at: 2010-03-25 
Module: Screen & Wet 
SESSION TYPE: Live 
QUAUTV: yes 
RESOLUTION: 640 x 480 
ORIGINAL RESOLUTION: BOO x 600 



O Critical 

• Severe 
QHigh 

• Normal 
Q Low 





Show 




Delete 




Export 




Comments 









Screen Recording 


• 


Target #1123 - 


win7 


0xA6FEE129 


52.4 KB 


2010-03-19 




Screen Recording 




Target #1123- 


win7 


QxA6FEE129 


312 KB 


2010-03-25 




Screen Recording 




Target #1123 


- win7 


0kA6FEE129 


44.1 KB 


2010-03-25 




Screen Recording 


• 


Target #1123 


- win7 


0kA6FEE129 


44.1 KB 


2010-03-25 
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Name 


Description 


Description 


Identifies the module (device/application) of the recorded data set. 


1 (Importance) 


An importance level can be associated to the collected evidence and can be used as 
ordering criteria. To change the Importance Level, right click in the importance level 
column of an evidence entry and a popup with all the available importance levels is 
displayed. 


Name 


FinSpy Target Name 


UID 


Unique internal reference to the FinSpy Target 


Size 


Size of the data set in bytes 


Acquired 


The date when the data was recorded 




Possible actions for the data entries can be shown and additional information are displayed. 



■J Scr, 



1 



Target: 0kA6FEE129 
Deic-iotion: Screen Recore 
Acquired at: 2010-03-25 



Module: Screen & Wet # Normal 



SESSION TYPE: Live 
QUALITY: yes 
RESOLUTION : 540 x 480 
ORIGINAL RESOLUTION: 800 x 600 



^"'•" i win7 OxA6FEE129 44.1 KB 

J Critical 

• Severe 
QHigh 



2010-03-25 



Q Low 



Show 



Delete 



Export 



Comments 



Name 


Description 


Show 


Opens the recorded data. In case of streaming data (video, sound) an external 
player is opened. 


Delete 


Deletes the data set from the FinSpy Master. 


Export 


The data is exported to the FinSpy Agent computer. A folder will open where the 
data is saved in and the downloaded file selected. 
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Comments 



Opens a window where comments to the data can be stored. Every change of the 
Importance Level is also logged as a comment. 



If "Show" is selected a popup may appear which will ask for a confirmation to display the file. 




Name 
Type 
From 



046B:9DB63DE01AE,ogg 
Qgg File 
Target 92198733 



Open 



F71 Always ask before opening this type of file 



■ ■ ^| While files from the Internet can be useful, some files can potentially 
ItM) harm your computer. If you do not trust the source, do not open this 
file. What's the risk? 



Comments which are once done for a specific data cannot be edited or deleted. The Comments are 
ordered by time in descending order which means, that the last introduced comment is displayed on 
top. 



Screen Recording 



? Screen Recordir 



I 



S£S3 



Agent Comments for 'Screen Recording' 

2010-04-08 09:50:15 Ih: 

Screen recording contents: 

- illegal sites (law 17/2005 chapter 5) 

- MSN go nversation which m ig ht prove su bject invol venrre nt in case 
*GQ 129334/2010 



ORIGINS 



Screen Recording 
Screen Recording 
Screen Recording 
Screen Recording 
Screen Recording 
Screen Recording 

t^d-man Bar rtrrl in n 



RE^ 2010-04-08 11:30:57 \W. 

Changed the Importance to Severe 



New Comment 




Close 





3-22 



i-19 
3-25 
3-25 
3-25 
3-25 
3-25 



II 



TirnaliUl'l.i.rliil 1 AC C T 1 1 0 AA 1 yP. 
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There is also the possibility define the search by using filters: 



Q Advanced options 



The following filters are available: 



•' Target List 


Star 2 (Analyse Data) 








Choose Target 


Choose Module 


Start Date 


End Date 






Microphone 


u 1 1/26/2010 


J [Tsl 1 2/2/2010 







lv 


II 




rne UID Size Acouired 1 


QUALTFV 

FRAMES PER SECOND 
BITS PER FRAME 


ar2 OwDOFlOODO 114 B 2010-02-02 


strokes. \ 



Name 


Description 


Start - End Date 


From which data to which date should be searched 


Module 


Module by which the data was recorded (e.g. Webcam, Microphone, Keylogger, ... ) 


Advanced Options 


In case a specific module is selected, additional filters can be applied depending on 
the module(e.g. All targets of a certain time zone) 
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2.2.4 Visualize Data 

Visualize Data enables the FinSpy Agent to display recorded data in a graphical way. 

Online 



Alex FinSpy 3.00 
O Analyse Data 

Configuration 



WOOT 



G 



J u 



v^S» Live Session Update 

A typical overview will look like the following: 



SYSTEM Unknown Unknown 

Evidence Protection 

Remove Infection | {*) Disconnect 



CTWHkt Hf.i-H.mri Wi.mli,,- Data). 
Hill 2010-07-24 =1 



FinSpy 



| Target List 
I Data Analysis 
■ C r =a:e "arget 



1 Configuration 
■ S:~oi>. _c;r"i =: 
I Agent List 



. about 

I Online Help 



14 *» 8 <4 



bo 



loading... 



8 * 



10 * 2 — 



4 <• : 16 



4 * 



123 



I28 



"IT? 



I Logoff (a ex) 
FinSpy -i;ie-: Vers or 2 S£ 



Jan lolrtc 










Aug \Sep 





1. The type of visualization. It will give two different graphs. It can be chosen between 

a. Detailed view per day (default) 

b. Detailed view per hour 

2. The recorded data on that day. Each data is displayed with the amount of recordings for each 
module per day. 



3. The importance level can be set. 
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Detailed view per hour: 



Target List devel target [Visualize Data) 
lllll E 2010-07-21 11:0B J j= 



o 

Microphone 




f : 
















Keylagger 











112 



116 118 



25 \26 \27 \28 



Target: 0xFCE24454 
Description: Captured keystrokes 
Acquired at: 2010-07-21 11:17:04 
Module: Keylogger 3 
START SESSION TIME TARGET: 2010-07-21 11:03:11 9 
END SESSION TIME MASTER: 2010-07-21 11:17:04 
MasterRefTimeStart: 2010-07-21 11:03:02 



1. The overview is divided by modules. 

2. Amount of recording per module is shown. Additionally the options "Change Importance", 
"Export Record" and "Remove Record" can be selected. 

3. Meta-lnformation for each recording can be viewed if a recording is selected. 



To navigate through date and time the mouse can be used, either via mouse-wheel (up/down) or by 
dragging the scrollbar. 
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2.2.5 Configuration 

To access the configuration of an infected FinSpy Target, the target needs to be selected and 
"Configuration" clicked. 



Online 



Alex FinSpy 3.00 

O Analyse Data 



Configuration 



W00T SYSTEM Unknown 

Visualize Data Evidence Proterticm 

Live Session 



Unknown 




A new window opens within the FinSpy Agent. The following image illustrates the layout of the FinSpy 
target configuration. 



Target List Alex FinSpy 2.50 (Configuration) 

General Configuration Options 



j Mitrophor 

Jt 



Infection Unique ID: CMCAC3BCF 

Auta -Generated Unique Identifier 

Median Name: Alec FinSpy 2.50 

Descriptive Name of Target 

Infection Owner: aleK (1014J 

NameAJID of Agent 

Max Infections: 3 

Maximum njr^bt' of \crgetr r.haf mil be infected 



Hiding Techniques 



I Act've Hiding 

■L'it i r ,t r ^i : xe iecnr-i^ss to :< : z i^fi-ZT-.c 1 ' f.;sz 'z : .i?s;£. fir\:\ .-.--.7 ->z:.: xr,i:s.:i'ir.i 

By enabiirg r.his feci-jre tre refection Becomes more svspectiaie :o de:eciio n iv jrjcr-h; rtvea; products. 



£ihi=3ul=a -.in oval: 



ipecirV a zcie iwei' ffje F;/>5ey forger m'/! c; 



~ itself :•(}■--. th? fji-ge-f 



Time-Out Removal; 1 Week 

ThefinSo'; ~cge: ji^chs." co re .-rev t s ric!.' ,'ro/ri tfie forger if il ^nofcie to •er/t.'; rf;e rtiasfer server witfri." r.'ie configured !.t> 



| Alex FinSpy 2.50 



Descriptive Wo/ne of Target 



heartbeat In^erva^: 



Download Speed Lin 



Delay aettveen calt-bocks from Target to Master st 



Limit the bandwidth usage to a 



Pre IP Addresses); 



tiger.gainma-i ntern.ational.de 



mi Q 

1113 U 



jfs.'t.Stop cc-'T.injri'zaricn de^r"dlng si' f' 1 ; Zwytrnt'y r^nr.rg osp:\'a:iC' l i: 

Operation Mode: Disabled tJ 



This Workspace is divided in two parts. The first part is on the left, which contains the modules and 
different configuration options and the second is one the right, where module specific configuration 
options can be set. 
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Configuration Options: 

• General 

• Download Schedule 

• Alert Settings 

• User permissions 

The following modules are available: 



Module Name 


Module Icon 


Available on the following OS: 


Accesses Files 


V 


S3 


Changed Files 


■ 


S3 


Command Shell 


m 


S3 m A 


Deleted Files 




SB 


File Access 






Forensics Tools 






Keylogger 




fir m. 5 








Microphone 
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Printer 






Scheduler 








Skype 




fir « & 


Screen & Webcam 








VoIP 




is 


S3 
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2.2.5.1 Configuration - General 
2.2.5.1.1 Infection Executable Information 

This information is not changeable. 

• Infection Unique ID: An internal ID of the FinSpy Target Installer 

• Infection Name: Given name of the target 

• Infection Owner: Internal user ID of the user who generated the FinSpy Target 

• Max Infections: Maximum number of FinSpy Targets which can be infected by the device 
application 



Infection Executable Information ] 


Infection Unique ID: 0x4BC46E35 




Auto-Generated Unique Identifier 


Infection Name: 


demoMUC vZ20 




Descriptive Name of Target 


Infection Owner: 


[1037] 




NameAJID of Agent 


Max Infections: 


3 




Maximum number of targets thot wilt be infected 
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2.2.5.1.2 Hiding Techniques 

It is possible to activate an advanced hiding method which allows the FinSpy Trojan to be more stealth 
and extremely hidden. 

The following actions are taken if the FinSpy Trojan runs in User-Mode: 

• Hides the network connections 

• Hides the registry entries 

• Hides the Trojan processes 

The following actions are taken if the FinSpy Trojan runs in Admin-Mode: 

• Hides the network connections 

• Hides the Trojan processes 



Hiding Techniques 



| Active Hiding 

Use intrusive techniques to hide the infection fifes, foiders, registry entries and network connections. 
By enabling this feature the infection becomes more saspectible to detection by root-kit reveal products. 



If the Active Hiding is activated it is more likely to be discovered by some root-kit detectors, due to its 
aggressiveness within the system. 

2.2.5.1.3 Infection Self-removal 

Computers which never go online may become infected by mistake and spread an infected application 
through an organization. To avoid keeping offline computers infected still recording data, the FinSpy 
Target can remove itself. 

• Scheduled Removal: Date on which the FinSpy Target removes itself from the infected computer 

• Time Out Removal: Time after which the FinSpy Target removes itself from the infected 
computer, if communication with the FinSpy Master fails (even if there is a functional internet 
connection). This renewal will be disabled once the FinSpy Target contacts the FinSpy Master for 
the first time. 



Infection Serf-removal 



Scheduled Removal: [l\eve ] 

Specify a date when the FinSpy Target mil automatically remove itself from the target 

Time -Out Removal: IWeek 

The FinSpy Target will automatically remove itself from the target if it ts unable to reoch 
the master server within the configured timeframe 
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2.2.5.1.4 Target Settings 

Behaviour and identification of the FinSpy Target 

• Target Name: FinSpy Installer may infect different targets. To separate the FinSpy Targets the 
previous Target ID of the infected media can be changed 

• Heartbeat Interval: The FinSpy target will send "alive" packets in a defined interval to the FinSpy 
Master. The time of these packets is given in seconds. This is used to update the online/offline 
status of the FinSpy Target. 

• Download Speed Limit: This option can define the download speed with which the data shall be 
transferred to the FinSpy Master. This is useful if only a small amount of bandwidth shall be 
used. 



Target Settings 



Target Name: 



Heartbeat Interval: 



Alex FinSpy 2.50 



Descriptive Name of Target 



30 seconds 



120 



Downlead Speed Limit 



Delay between ca!t-hacks from Target to Master server 
4 1024 kbA 



unlimited 



Limit the bandwidth usage to a maximum tranfer rate 
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2.2.5.1.5 Relay Settings 

The settings of the network configuration between FinSpy Target and FinSpy Master are: 

• Relay IP Address: Pre-configured with connected FinSpy Master. This must be the external IP or 
Hostname address of the FinSpy Master or of the FinSpy Relay. Several IP or hosts can be 
defined. The infected computer will connect to one of the configured addresses 

• Relay Port: Pre-configured with settings retrieved by the FinSpy Master 



- 




Proxy Settings 




Proxy IP Addressfes): 


Proxy Port(s): 




tig er.gam m a- i nternati onal.de 




3111 □ 








3112 








3113 U 


IP A ddress / Hostname 


TCP Portfs) 



2.2.5.1.6 Application Based Events 

Defines the behavior of the FinSpy Target, if certain applications are running or not running on the 
FinSpy Target system. 

If Operation Mode is set to "Disabled", the FinSpy Target communication with the FinSpy Master will not 
be affected by any running application in the system. 

When Operation Mode is set to "Active for Event", the FinSpy Target will try to connect the FinSpy 
Master only if the applications listed in the boxes are currently running. 

Operation Mode set to "Inactive for Event" suppresses the FinSpy Target communication with the 
FinSpy Master if one of applications listed in the boxes is currently running. 



Application Based Events 



Start/Stop the communication depending on the currently running applications: 
Operation Mode: Active for event Q 

Applications: 



Application Categ 


Disabled 




1^1 Browser 


Active for event 


1 


Sd Messenger 


Inactive for event 




□ E - Mail 






Q FileSharing 



Bi firefo> 

Q M ceil I a Firefox 

Q iexplore 

LI Windows Internet Explorer 
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2.2.5.2 Configuration - Download Schedule 

Download schedule will automate downloads of data. Automatic downloads can be initiated by time- 
and application-based events. 

A new tab will open with the separation of "Application Events" (1) and "Time Events" (2). On "Add" (3), 
new Time Events can be added. "Save Changes" (4) will save all settings for the FinSpy target. 



Target List Alex FinSpy 2.50 [Download Schedule) 



Application Events 



Data Available 
Screen Locked 
Screensaver Active 



Time ' Time Zone 



Once 



This category contains no items. Use the add button to add a new iter? 

Daily 



This category contains no items. Use the add button to add a new item. 
Weekly 



This category contains no items. Use the add button to add a new item. 
Monthly 



This category contains no items. Use the add button to add a new item. 



A download of data will be initiated if one of the configured events occurs. 
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Application Event 



ata Available 
creen Locked 
creensaver Active 




Name 


Description 


Data Available 


As soon as new recorded data is available, the data will be transferred to the FinSpy 
Master 


Screensaver Active 


New recorded data will be downloaded to the FinSpy Master if the Screensaver of 
the target computer is active 


Screen Locked 


New recorded data will be downloaded to the FinSpy Master if the Computer of 
the target gets locked 



If a new time event is added, a new tab opens in which all parameters of the new time event can be set. 



Configure Event 



1 t Start Event Date 
A April, 2010 ► 

Mo Tu We Th Fr Sa Su 

11 i; :1 1 2 I 4 
5 6 7 3 9 10 11 

12 13 14 IS 16 17 19 
19 20 21 |22] 23 24 2B 
26 27 2B 29 30 1 2 
i 4 5 6 7 S 9 



2 C_ Event 71 




10 : 3 : 42 



4 j img Zone~ 




Add I Cancel 
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Name 


Description 


Start Event Date 


The first day on which the download starts 


Event Time 


At which time the download starts 


Interval 


Interval between the downloads 

• Once 

• Daily 

• Weekly 

• Monthly 


Time Zone 


Which time zone should the event refer to 

• Target 

• Local 

• UTC 




2.2.5.3 Configuration - Alert Settings 

The FinSpy Master can alert via E-Mail if a target status changes. Alert messages are generated by the 
FinSpy Master. Alerts can be triggered on the following events: 



Name 


Description 


Target Online 


An alert will be triggered if a FinSpy Target changes its status from Offline to Online 


Data Available 


An alert will be triggered if a FinSpy Target has new data recorded which is not 
transferred to the FinSpy Master yet. 


Data Downloaded 


An alert will be triggered if the FinSpy Master downloaded new data from the 
FinSpy Target. 



i arget 

john cof 



List Alex FinSpy 2.50 [Alert Settings] 



EmailAddress 



Target Online ' Data Available | Data Downloaded 



jchn coe©hctrnal,-CQn 
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2.2.5.4 Configuration - User Permissions 

Within this configuration ADMINISTRATOR and SYSTEM ADMINISTRATOR can define rules to allow 
certain users to fulfil certain actions on the FinSpy Target. 

The user management within a target looks like the following: 



User Permissions 



1 Usemame 


Analyse Data 


Live Session 


Configuration 


Update 


Remove Infection 


Delete Data 


' 1 


lucian da 2nd use' 


Q 


D 


a 


■ 


■ 


■ 




Ih da' user 


Q 


G 


Q 


D 


■ 


□ 


^| 


James Tester 


Q 


■ 


Q 


□ 


■ 


■ 


A 



Add Users 



Note: Only regular users can be added or removed, adminstrators will always have fLrfi permissions. 



2.2.5.5 Configuration - Accessed Files 

The Accessed Files Module records opened files from an infected FinSpy Target. Due to the nature of 
Operating Systems, a lot of files are opened all the time. Therefore enabling and configuration of this 
module is important and shall be handled with care. This module might trigger and copy a lot of files to 
the FinSpy Master. 



Saecify -ciders to '.vatc for file access: 
■ All Drives & Folders 



SHOWED RIVE%%HOMEPATH% 
%PUBUC% 



Piease provide one folder path or name per tine. 
Exceptions: 1 



% P ROG RAM F1LES% 
7=ProgramFiles(xB6)% 
%APPDATA% 
%WINDIR% 



Piease provide one folder path or name per tine. 
Supported system defined constants,- Ai.LU SERS PRO FILE, APPDATA, HQMEPATH, LOCAIAPPDATA, Program Data, PROGRAM FILES, SYSTEMROOT, USERPROFILE and 
WINDIR 

I Record image files accessed by explorer.exe 

Determine whether image files accessed by explorer.exe to be recorded Enabling this option will cause a lot of recordings. 



Specify which rile types shou d be -scolded: 

I All Files m > - 3pe 

■ :- ■ Video 

Ql PGP/GnuPG ■ Audio 



| PDF 

I HTML 
| Archives 



C-stoTi -lis "pes [ 



Please provide file extentions separated with semicolon, for example: .mp4;.ogv;.avi 
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2.2.5.6 Configuration - Changed Files 

The Changed Files Module is in charge of recording the files which were modified while the module is 
enabled. The FinSpy Agent will provide a configuration for the Changed Files Module where the user can 
filter the location and file types which have to be monitored by the FinSpy Target module. Additional 
information such as the event (accessed, newly created, changed) and the time when the event 
occurred will be provided together with the recorded file. 

Changed Files Configuration Options 



Specif/ folders to watch for file changes: 
i All Drives S Folders 



Please provide one foider path or name per line. 
Exceptions: 



i 



%P RO G RAM R L £S% 
%APPDATA% 
%WINDIR% 
%PrograrnData% 



Please previa? one izicv usth or name per line. 

Supported system defined constants: ALLUSERS PROFILE, APPDATA, HOMEPATH, LOCALAPPDATA, Pre 
SVSTEh/ROOT. USERPRO FILE and WIMDIR 



nDala PROGRAM FILES, 



Specify which "lie Types d be ^eco-ded: 

■ All Files G Image 

Q Office B Video 

(3 PGP/GnuPG Q Audio 



I PDF 
j HTML 
I Axhrvei 



Custom file types: I 



Pieose provide file extentions separated with semicolon, for example: .mp4:.ogv; .avi 



2.2.5.7 Configuration - Command Shell 




This module is not configurable but enables the functionality of interacting with the 
FinSpy Target via a Command Shell. 
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2.2.5.8 Configuration - Deleted Files 

The Deleted Files module enables the FinSpy Target to collect deleted files from the infected system. 
The Deleted Files module is able to collect all the deleted files, namely: the files which are deleted 
(moved) to Recycle Bin as well as the files removed using Shift+Delete. The configuration provides the 
module with filtering capabilities based on location and file type. Additional information such as the 
time of deletion will be provided together with the recorded data. 



: i" ±z ~ "C:::e s :c ■ " ; se el:j 

Q All Drives & Folders 



Pteose provide one folder path or name per Sine. 
Exceptions: 



%WINDIR% 
%PK(Xi'RAMHlFS% 



Please provide ore folder path or name per line. 

Supported system defined .constants: ALLUSERSPROFILE, APPDATA, HOMEPATH, LOCALAPPDATA, Program Data, 
PROGRAM FILE5, SYSTEMROOT, USERPROFILE and W1NDIR 



Specify which file types should be recorded: 
Q All Files 



□ PDF 

□ HTML 



Custom file types: 



Pteose provide file extentions separated with semicolon, for example: .mp4;,ogv;,avi 



2.2.5.9 Configuration - File Access 



This module is not configurable but enables the functionality of interacting with the 
file system of the FinSpy Target. 



2.2.5.10 Configuration - Forensics Tools 



This module is not configurable but enables the functionality of interacting with the 
file system of the FinSpy Target. 
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2.2.5.11 Configuration - Keylogger 

Application based events can be used to tune the keylogging process. The mechanism used for FinSpy 
Target communication is adapted for the Keylogger Module to allow/suppress the keylogging for certain 
applications. 

If Operation Mode is set to "Disabled", the keylogging will not be affected by any running application in 
the system. When Operation Mode is set to "Active for Event", the keylogging is only active if the 
applications listed in the boxes are currently running. Operation Mode set to "Inactive for Event" 
suppresses the keylogging if one of the applications listed in the boxes is currently running. 



Application Based Events 



Record/Ignore the keystrokes pressed within the configured app ca:icns: 
Operation Mode: Active for event Qj 



Applicat'o" Galea 


Disabled 


Applications: 


El Browser 


Active for event 
Inactive for event 


H |S WINWORD 


]•/ Editors 




Q Microsoft Word 


B E - Mail 






EXCEL 


Q Messenger 


cm M crcsc 1 : Exce 



2.2.5.12 Configuration - Microphone 

In order to define the size of a microphone recording, the quality can be defined. Depending on 
increasing or decreasing the quality, the amount of data for a recording will change. 

Decreasing the quality of recordings can save 80 percent of memory used. The selected sound quality 
can be tested under "Listen to Sample" as a sample of the selected sound quality is played. 



Microphone Configuration Options 





Quafity 


Sound Quality: 


V 


Sample J 






for 1 minute recordings: 120 KB 




high 





Lye™?!. 



Phone 

Low 

2.2.5.13 Configuration - Printer 



This module is not configurable but enables the functionality of capturing all printed 
on the FinSpy Target system and places a copy as a PDF on the FinSpy Master. 
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2.2.5.14 Configuration - Scheduler 

The Scheduler Module is responsible for time based data recording on the FinSpy Target. Recording can 
be scheduled at a specific date and time and for a given duration. 



Scheduler Configuration Options 



Active Module 



Time Time Zone Curat 



Microphone 2010-02-05 10:33 Local 00:30:00 
Screen 2010-02-06 10:33 UTC 00:35:00 



Daily 



This category contains no items. Use the add button to add a new item. 
Weekly 



This category contains no items. Use the add button to add a new item. 
Monthly 



Cd Webcam 2010-02-26 10:34 Target 00:30:00 



To create a new scheduler the "Add" button is used. This will start up the scheduled event generation 
wizard. 

There are three types of events which can be scheduled: 

• Microphone recordings - records the primary installed microphone 

• Screen recordings - records screenshots at the configured frequency. 

• Webcam recordings - records webcam frames at the configured frequency. 



After selecting the desired event type, a new section will appear where the configuration of the selected 
Event can be defined. 

Following Events are available: 

• Start Event Date: The day on which the recording should start 

• Event Time: The time of the already configured day when the recording should start 

• Time Zone: The time zone reference. Available options are: 

■ Local: The time refers to the time zone of the FinSpy Master 

■ UTC: The time is expressed in Coordinated Universal Time 

■ Target: The time refers to the time zone of the target machine 

• Interval: Defines the interval of the recording. The available options are: 
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■ Once: The recording is executed only once at the configured date and time 

■ Daily: The recording is executed every day at the configured time starting with the 
configured date. There is no end date. 

■ Weekly: The recording is executed every week on the same week day and time 
configured. 

■ Monthly: The recording is executed monthly at the same month day as configured at the 
same hour as configured. There is no end date. If the recording is scheduled for a day 
which exists only in certain months (e.g. February 31 st ) then the recording is executed 
only in the months which contain day 31. 

Duration: The duration of the recording. 



Scheduler Configuration Options 



New Time Event 



1 Select what you want to schedule 
Microphone 
Screen 
Webcam 



Event Configuration 



2 Csnf gure time and duration of event 

Start Event Dote 

4 April, 2010 ► 

Mo Tu We Th Fr Sa Su 

29 30 31 1 2 3 4 

5 6 7 B 9 10 11 
12 13 14 L5 IS 17 18 
19 20 21 22 23 24 25 
26 27 28 29 30 1 2 

3 4 5 6 7 B 9 



Add I Cancel 
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2.2.5.15 Configuration - Skype 

There are different possibilities of enabling the Skype Monitoring. The quality of recording and type of 
communication within Skype is configurable. 

Recording Options (1): 

• Phone Calls: All calls between the FinSpy Target and other parties will be recorded. 

• Test Messaging: All chats between the FinSpy Target and other parties will be recorded. 

• File Transfers: All file transfers between the FinSpy Target and other parties will be recorded. 

• Contact List: The contact list of the FinSpy Target will be recorded. 

Sound Quality (2): 

Decreasing the quality of voice recording may save 80 percent of space. The selected sound quality can 
be tested under "Listen to Sample". A sample of the selected sound quality is played. 

File Options (3): 

To record file transfers via Skype, file recording can be enabled or disabled for specific or all file types. 
Custom file types can be entered as well. 



Skype Configuration Options 



File Transfer Recording Options 



Phone Calls Q File Transfers 

Tex: Messaging Q Contact List 



Phone Calls Recording Options 



Sound Quality: Phone 



Listen to Sample 



Estimated encoding size for 1 minute recordings: 90 KB 



File Options 



Specif/ which file types should be recorded: ^ 
B3 All Files 

□ Office □ Video 

1 PGP/GnuPG | Audio 



□ PDF 

□ HTML 

I I Compressed & Archives 



Custom z \\e types 



Ptease provide file extentions separated with semicolon, for example: .mp4;.ogv;.avi 



Exclusively supplied to and aufrKxijed use by oolice, intelligence, security, and other government agencies 



FinSpy / User Manual 



46 



2.2.5.16 Configuration - Screen & Webcam 

Recording the Screen of the FinSpy target and the Webcam (if available) is possible with this module. 
Both - Screen & Webcam - have the same settings which can be applied separately. 



Name 


Description 


Video Quality 


Best, High, Normal, Low 


Image Size 


Original (100%), Normal (80%), Half (50%), Quarter (25%) 
This will result in a percentage resize of the original resolution 


Mode 


Color, Black& White 


Frequency 


Interval beginning with 2 seconds and up to 1 hour 


Automatic Recording 


Application based Screen Recording can additionally be performed. Either the 
whole screen or just the application window can be recorded if a certain 
application is running on the FinSpy Target. 



Screen Capture Settings 



Video Quality Normal 
Image Size: 
Mode; 
Frequency: 
Estimated size fbr a single frame: 88 KB 




9 MSDN: Microsoft DtvNfxmnt. UtDtJ Subnotions 
- Ijl nttpi''rw*imrf]«rft.(«Ti*r-us, , ari; 



i J QJ m MSDN: UrnKi>fl ,1r. plnpmrrt. MKM I 



rary L&arn Downloads Suppe 



D*vclop*i C*<iteri 



Automatic 
Recording: 

Create automatic recordings of the appliaction main window or screen if one of the apptiactions listed below is enabled and running 
Application Cafegary? 




Webcam Capture Settings 




Frequency: 
Estimated size far a single frame; 70 KB 
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2.2.5.17 Configuration - VoIP 

The VoIP module gives the possibility of recording basically all kinds of applications which are used for 
Voice-over-IP communication such as instant messengers or dedicated VoIP applications. 

It will trigger and record the audio channel bidirectional if the Microphone and the Speakers are 
activated at the same time. 

It furthermore captures a snapshot of the screen after a few seconds to see with whom the FinSpy 
Target is communicating. 



Recording Options 



Specify' applications that should be recorded: 
G All Applications 
Application Category: 



Instant Mr 




B Screen Caoture 

Create a screenshot when a call is initiated to get additional call information. 



Sound Quality: 



Listen to Sample 



Estimated encoding size for 1 minute recordings; 90 KB 
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2.2.5.18 Configuration - Add & Remove Module 

To add & remove modules it is not required to create a new FinSpy Target Package. This can be done 
easily through the Configuration dialog. 

The modules will then immediately be removed from the FinSpy Target or immediately downloaded 
from the FinSpy Master to the FinSpy Target if added. 



Removing a module 



Adding a module 



Target List demo MUC v2.20 (Configuration) 



Target List I demo MLPC y2.20 (Configuration) : 



! 

u en era, 



CM Command 
Shell 



Shell 

+ 

Add New Module 



Choose module to activate on the target 



Keylogger 
S \ t Microphone 
pB File Access 
IiFt* Scheduler 
*3 5kype 

Screen & Webcam 



Double dick the module to add it to tf.e target O.ick ouzside to dose 
and return to configuration. 



2.2.5.19 Configuration - Activate & Deactivate Module 



Modules can also be activated and deactivated live on the FinSpy 
Target. 

Removing the check from the checkbox (1) will deactivate the 
module. 

Setting the check in the checkbox (2) will activate the module. 



Target List demo MUC v2.20 (Configuration) 
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2.2.6 Live Session 

Available live access depends on the installed modules on the target. To establish a live session expand a 
target and select "Live Session". 



Online 



Alex FinSpy 3.00 

O Analyse Data 



WOOT 



j"c: .: 



Live Session 



SYSTEM Unknown 

Evidence Protection 



Unknown 




5elect what you want to observe on the target 



Microphone 


v2.70 


|jS Command Shell 


v2.70 


yjt Forensics Tools 


vZ70 


P« File Access 


v2.70 


Keylogger 


v2.7Q 


Webcam 


v2.70 


\^ Screen 


v2.70 





Double dick to start the live observation of the target 



The possible modules are obtained and shown in a new dialog. 
More than one live session per time is possible. 



Name 


Description 


Microphone 


Establishes a live session to the Target's Microphone 


Command Shell 


Commands can be entered into the Target's command shell 


Forensics Tools 


Enables uploading and execution of applications on the target machine. 


File Access 


Will show a live File Browser of the Target's computer 


Keylogger 


Will show a live session of the Target's keys pressed 


Webcam 


Establishes a live session to the Target's Webcam 


Screen 


Establishes a live session to the Target's Desktop 
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it ' ALEXTARGET SYSTEM SZ United Arab Emirates 

Lire Session |f=j| Download Schedule Remove Infection 

'.^ Configuration ... J Alert Settinr™- ' ''- 1 : 
0) Disconnect 



Each Live Session is opened in a new tab inside the 
FinSpy Agent. After closing the live sessions, the 
connection to the target computer can be ended by 
clicking "Disconnect" inside the expanded FinSpy 
Target of tab Target List. 



The following chapters describe live access of each module in more detail. 
2.2.6.1 Live Session - Microphone / Webcam / Screen 

For a live-session of the FinSpy Target's Display, Webcam or Microphone use the "Start" button inside 
the FinSpy Agent. The quality of the recording depends on the predefined configuration. 



Target List demo MUC v2.20 (Record Display) 




Target List, demo MUC 1/2.20 [Record Display) 

Watch the target's computer screen 




To stop recording live images or microphone, move the mouse over the image and click the "Stop" 
button. 
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2.2.6.2 Live Session - Command Shell 

This displays a live command shell session of the Target's computer. The command shell runs with the 
user rights under which the FinSpy Target is running. 



Target List demo muc (Command Shell) 

Remote Command Shell 



C ; \>di r 
dir 

Volume in drive c has no label. 
Volume Serial Number is DC5F-C3A9 

Directory of c:\ 



09/19/2003 
□9/19/2003 
12/03/2009 
10/03/ 2 00 9 
□9/25/2003 
□9/25/2003 
11/14/2009 
□9/25/2003 
□9/25/2003 
□9/25/2003 
12/15/2009 
□9/19/2003 



07: 27 


AM 




0 AUTOEXEC.BAT 


07:27 


AH 




0 CONFIG.SYS 


01 : 5 0 


PV 


<DTR> 


Documents ana Settings 


09: 31 


PH 


OIR> 


f30ebe22i33S4beabiebfs S5 


09:57 




<DIR> 


I3'8€ 


09:57 


AM 


<DIR> 


Intel 


06 : is 


m 


OIR> 


R"OgraBi Files 


10: 02 




OIR> 


SUPPORT 


io: 02 




OIR> 


Toshi ba 


10: 02 


AM 


<DIR> 


VALUEADD 


11:49 


AM 


<DIR> 


WINDOWS 


OS: 34 


AM 


OIR> 


Works 



2 Filers) 



p bytes 



10 DirOO no. 495. 902, 016 bytes free 



C;\>cd Doc 1 
cd Doc* 



C:\DocLiments and Setti ngs>di r 
dir 

Volume in drive C has no label. 
Volume Serial f^un-iber is DCEF-C3A9 

Directory C : '''.Documents and Settings 



12/O3/2O09 
12/08/2009 
10/05/2009 
12/14/2009 



C^rnmand: |~ 



oi : s o pv 

oi : 5 o pv 

07:03 PV 

oi: 35 pr; 
0 Fi 1 efs] 
4 Dir{|s^ 



<DIR> 
*DTR> 

oip> All users 

<DIR> finfisher 

0 bytes 
110. 49B. 902. 016 bytes free 



Commands need to be typed into the text box "Command" and executed by clicking "Enter". The 
command and their outputs are displayed. 
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2.2.6.3 Live Session - Forensics Tools 

The Forensic tools module consists of predefined applications which can be uploaded to a FinSpy Target 
and then executed. 



iHSiTTi Microsoft Product Keys 

Wind ows Updates 

Opened Files 

USB Devices 
Bk|j Installed Devices and Drivers 
(*y StartUp Applications 



Current Opened Ports 
^) Wireless Networks Keys 
^ DialUp and VPN Credentials 
^ffl Network Passwords 



A 
A 
A 
A 
.i 



a 

X 

A 



Eirai! Clients Passworcs 
*^ Internet Messenger Passwords 
£^ Internet Explorer Passwords 

Windows Protected Storage Passwords 
IB FireFoK Passwords 

Chrome Passwords 
^) Opera Passwords 
' Outlook Personal Folder Passwords 



^* Internet Explorer History 

FireFoK History 
3S Last Internet Searches 
^ Browser Favorites and Bookmarks 



A 
A 

•J 



A 
A 
A 



Currently, the following applications exist and are divided into different categories. 



Name 


Description 


System 


• 


Microsoft Product Keys 




• 


Windows Updates 




• 


Opened Files 




• 


USB devices 




• 


Installed Devices and Drivers 


Network 


• 


Current Opened Ports 




• 


Wireless Networks Keys 




• 


DialUp and VPN Credentials 




• 


Network Passwords 


Passwords 


• 


Email Clients Passwords 




• 


Internet Messenger Passwords 
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• Windows Protected Storage Passwords 

• Internet Explorer Passwords 

• Firefox Passwords 

• Chrome Passwords 

• Opera Passwords 

• Outlook Personal Folder Passwords 


Internet 


• Internet Explorer History 

• Firefox History 

• Last Internet Searches 

• Browser Favourites and Bookmarks 

• Installed Devices and Drivers 



Each item additionally gives a short description about its functionality as soon as the mouse is hovering 
the item. 

For example "Network Passwords" gives the following description: 



Network Passwords 



Retrieve network shares and .NET Passports accounts. | 

If an application is uploaded to the FinSpy Target it resides on the system until it is deleted. For further 

executions it will not be necessary to upload it again. 

The statuses of the applications are indicated by the following icons: 



Name 


Description 


Q 


This icon indicates that the application is currently not uploaded to the FinSpy 
Target. For execution it needs to be uploaded first. 


X 


The icon indicates that the application is currently uploaded to the FinSpy Target 
and just needs to be executed. Furthermore it can be removed from the FinSpy 
Target by clicking this icon. 



If any application is executed on the FinSpy Target it will retrieve the results in a CSV file. This can be 
opened for example with Microsoft Excel. 
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2.2.6.4 Live Session - File Access 

To establish a live session to the targets computer and browse files. Browsing is possible through double 
clicks on left tree or by double clicks on a folder in the right work pane. 



Target List devel target (Access Files) 

Remote fiiesystem on devei target 



Upload Fiie: 
Remote Path: 




Documents and Settings 

► ) , All Users 

► Default User 

► £ LocalService 

► . NetworkService 

► I^Testi 

► ii Intel 

► Program Files 

► Jj RECYCLE R 

► , . System Vol ume Information 

► WINDOWS 



A single click on a file expands it giving more detailed information. To download the file click 
"Download" (1) on the right. A Progress-Bar at the bottom displays the download progress. The 
downloaded file can then be viewed through the Analyse data. 

Furthermore a refresh of the actual directory can be performed via right-clicking anywhere and 
"Refresh" (2). 
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2.2.6.4.1 Live Session - File Access - Upload File 

It is possible to upload files to the remote host with the Access File Function. 



Target List FS-2.30 (Access Files) 
m <Jll I j-.jj 



Upload File: |C;MJ se-s'Je st\ C eskto o\u p I oa d ed_fi le.brt 
'smote Path: | C:\Acer\uploaded_file.txt 



6Sd8a5 ; 5a315fll30ff7 
Ace- 
Book 

Dokumente und Einstellungen 

1386 

Intel 

MSOCache 
Programme 
RECYCLE R 
Sysinfo 

System Volume Information 
Test 

VALUEADD 
WINDOWS 




I Filename 


| Size 


Created | Attributes | 




Empowering Technology 




2010-01-07 17:22:37 




WR_PopUp 




2010-01-07 17:22:37 






396 


2010-01-07 17:15:27 




uploaded_file.txt J 


4,096 


2010-05-27 17:28:22 





A file from the local file system needs to be selected and also a remote path defined. This will be by 
default the current working directory (1). "Click to start file upload" (2) will then put the file on the 
FinSpy target. This file will now be in the selected remote directory (3). 
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2.2.6.5 Live Session - Keylogger 



To start recording keystrokes, click the "Start" button. Recorded keystrokes are displayed with the 
following information. 



Target List AleK FinSpy 2.50 (Record Keystrokes) 5 x 

RenQ.'dza Keystrokes 



Unknown jj^^^^^^^J 



^^^^^^^^^^^^^^^^^^^^ 3 2j^2010-10-06 14:25:09 - 14:25:0^] 



cnn.co 
m<Enter> 




^^^^^^^^^^^^^^^ ^ 



1. The Process Name where the keystrokes are entered 

2. Date and time of the keystroke recording 

3. The Application Name & Windows Title where the keystrokes were done (e.g. Notepad, Internet 
Explorer, Firefox) 

4. Special chars can be enabled or disabled (e.g. Enter, Backspace, Tab, etc.) 



The actual keystrokes can be seen in the main window. 

To stop the recording, the "Stop" button needs to be clicked. 
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2.2.7 Download Now 



To perform a manual download of new recorded data to the FinSpy Master expand FinSpy Target in the 
"Target List" and click on the "Download Now" notification for new available data when the bullet 
appears. 

Online 



Alex FinSpy 2.50 

Analyse Data 
Configuration 
Live Session 



Q ALEXJARGET SYSTEM E United Arab Emirates Dubai 94.200.250.2 2.48 

Visualize Data ^tw Evidence Pntecticm 

jj^j Download Schedule 'j,^ Alert Settings Permissions 
^DownbadHo^J Update 



J: Remove Infection 




A list with all the possible recordings can be chosen. They are separated in categories to give a better 
overview. 



Target List dev target 2010.04.19 [Recordings List} 



Recording Description 



Video Recordings 



9 



2010-04-21 10:4S:30 4.0 KB <\ 



Skype Recordings 



■ Q Skype recording 2010-04-2110:46:3 0 4.0 KB ,> 

■ Q Skype recording 2010-04-21 10:4S:30 4.0 KB . . 



Captured keystrokes 2010-04-21 10:4S:30 4.0 KB ^ 



5 X 



Exclusively supplied to and authcuijed use by oolice, intelligence, security, and other government ager.oes 



FinSpy / User Manual 



58 



2.2.8 Update Modules 

If a new version of FinSpy is released and deployed, it is possible to update a FinSpy Target from an old 
version to the latest one. 



Online 



Alex FinSpy 2.50 
Analyse Data 
*^(^ Configuration 
V^i* Live Session 



Q ALEX.TARGET SYSTEM C United Arab Emirates Dubai 94.200.250.2 if' 2.48 

Visualize Data ^jW Evidence Protection 

^T^] Download: Schedule t Alert Settings ^» Permissions 

Download Now Remove Infection 



It will start by updating the core module of the FinSpy Target, then update all the installed Modules. 



Updating Target Modules 

Updating core /nodule 




Updating Target Modules 

Updating Keylogger',.. 



At the end it will pop up a message saying the update process was complete. To activate the new core 
and the new modules, the FinSpy Target needs to be restarted. 



Update Target 



The infection was successfully updated, however 
the new infection features will be available only 
after a target machine restart. 
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2.2.9 Evidence Protection 

This feature helps protecting the collected evidence by using digital signatures and by logging the 
actions taken to collect the evidence from a FinSpy Target. 

To use the Evidence Protection, it can be selected via "Evidence Protection" on each FinSpy Target. 

Online 



Alex FinSpy 3.00 

O Analyse Data 



WOOT 

. S -i -i -■ 3t3 



SYSTEM Unknown 



Unknown 



Evidence Protection 



' t ^t^ Configuration ^ ve ^ esslon ^5 Update 

The Evidence Protection Tab contains the following sections: 



] 



Remove Infection id) Disconnect 



nect 



Name 


Description 


Activity 


All the activity which concerns the FinSpy Target is presented since the recording 
started. 


Evidence 


All the collected evidence is listed and the user can check if the signature is valid. 


History 


A history of the FinSpy Target activity can be shown. 
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2.2.9.1 Evidence Protection - Activity 

In the activity logging section all the interactions from FinSpy Master the FinSpy Target are presented as 
well as all the actions actively taken by a user through the FinSpy Agent software to access the target. 

The information recorded for each action is: 



Name 


Description 


Date 


Timestamp with the FinSpy Master time represented in UTC. 


User 


1 1 1 tr 1 1 d 1 1 1 tr Ul LI 1 tr Ubcl WIIILII |JdlLILI|JdLcU III L 1 1 tr dLLIVIly. II LI Ic (JdlLIL.I|JdllLWdb LI 1 tr 

FinSpy Master, this will be registered accordingly. 


UserUID 


The Unique Identifier associated with the user. 


AgentUID 


Unique Identifier associated with the Agent. Since any user can connect from any 
FinSpy Agent software to the FinSpy Master, this information pinpoints the machine 
used for the activity. 


Module 


The Data Collection module the action was associated with. If the action does not 
concern a data collection module, this column is left blank. 


Event Description 


Brief description of the event. 



Target List demo MUC v2.20 [Evidence Protection] 



Evidence 
Activity 



Date 


User 


UserUID 


AgentUID 


Module 


Event Description 


2010-04-13 13:32:49 UTC 


FinSpy Master 


0 


0x0 




Master request: Download recorded file 'C:\WL. 


2010-04-13 13:33:03 UTC 


FinSpyMaster 


0 


0x0 




Master request: Delete recorded file 'C:\W3ND... 


2010-04-13 13:49:10 UTC 


FinSpyMaster 


0 


0x0 




Target comes online 


2010-04-13 14:36:05 UTC 


markus 


1021 


0x7S70CE5A 




Agent request: Start Live WebCam Session' 


2010-04-13 14:36:06 UTC 


FinS pyMaster 


0 


0x0 


Screen & W... 


Start 'Live WebCam session' 


2010-04-13 14:36:10 UTC 


markus 


1021 


0x7S70CE5A 




Agent request: Stop Live WebCam Session' 


2010-04-13 14:36:10 UTC 


FinS pyMaster 


0 


0x0 


Screen & W... 


Stopped 'Live WebCam session' 


2010-04-13 14:36:11 UTC 


FinSpyMaster 


0 


0x0 


Screen & W... 


Storing of live Video data (record 'O00O0O0OQ2.. 
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2.2.9.2 Evidence Protection - Evidence 

The digital signature can be checked by clicking in the "Check now" (1) field. Upon a signature was 
verified successfully, the field text will change to "Valid" (2). The signature can be checked for all the 
collected evidence at a time or by selecting all the entries (Ctrl+A). Exporting of all or certain evidence is 
possible (3). The folder where the evidence is exported will be opened in a Windows Explorer once the 
downloaded is finished. A progress dialog will monitor the download of the evidence since this could be 
a lengthy operation. 




A"ivity 



demo MUC v2.20 [Evidence Protection) 



■ -" Captured iceystrokes 
Microphone recording 
~ t C:\bla.txt 



Q 405 B 
• 52.1KB 



: 0x92198733 
: C:\bla.td 



DOWNLOAD Til 
DOWNLOAD m 
R 



Microphone recordi 
\—W C:V«yz.rct 



Checking Signature 1/11 

Checking '341341113097847233'... 



9 B 



2010-05-05 ^ Valid J 2 
2010-04-15 / Valid 
2010-04-18 ^hecknmj \ 



2010-04-15 

2010-04-1? 



Check 
Check 



I 



^ Microphone recording 


• 3.1MB 


2010-04-28 Check now 


3 


\—m C:\dir.txt 


O 954 B 


2010-05-07 Check now 





The exported evidence is accompanied by a report: Report.html which looks similar to the pictures 
below: 



Exported Evidence Report 



2011-07-04 11:33:31 UTC 



2 Collec ;-.:!. . 

1. KevloEger 

2, Screen A W.iu— ^ 
3_ Skype 

3 Taraac Activity 

1. Ac tmtv Lng fiin fl s 

2, Target rjjjSfig 

Target Information 



| Target Name 


|SJ 


.arset Unique Identifier (.araet LTD} feFtMCtTESj 


| Agent Name 


FnHndwi Sales 02 


A^ent Unique Identifier (Agent LTD) 1024- 


i Infection Date 


|201l-O6-l7O2:35:22 UTC 


LtvfecLLon Removal Date 


Operating System 


Windows XP Sen ice Pack 3 Qlbit) 


Hostname 


|WS-EJ-1 


Usemame 


SYSTEM 


[back to top| 




Collected Evidence 





| Start |End Type |Sdze |File 

|20U-OS-17 1022:47 UTC |201 1-06-17 1022:4? UTC Recording 1 530 B [File 



Exclusively supptied to and iuifrKxijefJ use by oolice, intelligence, security, and other government ager.oes 



FinSpy / User Manual 



62 



2.2.9.3 Evidence Protection - History 

This gives an overview about historical information of a FinSpy Target such as: 



Name 


Description 


Date 


Timestamp with the FinSpy Master time represented in UTC. 


User 


The Username of the logged in user. 


Country 


In which country was the Target 


City 


In which city was the Target 


Public IP 


Which Public IP the Target connected from. 


Event 


Brief description of the event. 



Target List STUART D (Evidence Protection) 



I 



Activity 



Evidence 



< 

| history 



Target History 





User 


Country 


City 


Public IP 


Event 


2011-05-27 15:40: ID UTC 


STUART 


Unknown 


Unknown 


92.6.207.32 


Online 


2011-05-27 15:40:10 UTC 


STUART 


Unknown 


Unknown 


92,6.207,32 


Online 


2011-05-27 15:40:34 UTC 


STUART 


£K1 United Kingdom 


Lo ndon 


92.6.207.32 


Arc" vec 


2011-06-15 11:02:36 UTC 


STUART 


SKI United Kingdom 


London 


92,6.207.32 


Online 


2011-06-15 11:27:05 UTC 


STUART 


SHI United Kingdom 


Brentwood 


92,6.201.131 


-e 


2011-06-15 11:29:59 UTC 


STUART 


Sri United Kingdom 


Brentwood 


92.6.201.131 


Online 


2011-06-15 12:53:20 UTC 


STUART 


SKI United Kingdom 


Brentwood 


92.6.201.131 


C- -e 


2011-06-15 13:40:39 UTC 




^ti United Kingdom 


Brentwood 


92.6.201. :s: 


Online 
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2.2.9.4 Evidence Signature Verification Tool 

An external tool is also provided to check the digital signature and analyze the exported evidence 
without the need of a FinSpy Master connection. The Evidence Signature Verification Tool can be run 
from a standalone PC. It is not necessary to have either the Evidence Data or the Evidence Signature 
Verification tool running on any FinSpy related computer. 

The folder of the exported evidence needs to be selected (1) and afterwards simply checked (2). This wil 
lead to a valid or invalid status. 



Name 








Date mod (fed 


Type 


Size 


20 


0-04-16 


2_49_41-04 BC84Q C5QAD0Q7 D.t 




5/12/2010 8:06 AM 


Text Document 


4 KB 


20 


0-04-16 


2_49_41-04 BC840 C50ADQ07 D .1 




5/12/2010 8:06 AM 


META File 


1 KB 


__ 20 


0-04-16 


2.49.41-04 BC840C50AD007Dvt 




5/12/2010 8:06 AM 


PKCS#7 Signature 


1 KB 




0-04-16 


2.48.214-04 BC840323920060 .tct 




5/12/2010 8:06 AM 


META File 


1 KB 


3f; 20 


0-04-16 


2_48_34-04 BC840823920060 .bt 


P 7s 


5/12/2010 8:06 AM 


PKCS#7 Signature 


1 KB 


. 2° 


0-04-16 


2_49_01-04BC8409D2C9006E.ti 




5/12/2010 8:06 AM 


Test Document 


1 KB 


20 


0-04-16 


2_49_01-04 BC8409D2 C90Q6E.txt. meta 


5/12/2010 8:06 AM 


META File 


1KB 


M 20 


0-04-16 


2_49_01-04BC84Q9D2C9006E.b 


bpfe 


5/12/2010 8:06 AM 


PKCS#7 Signature 


1 KB 


. . 20 


0-04-16 


2_48_34-04 BC84QS2392006Q ,tet 




5/12/2010 8:06 AM 


Text Document 


3 KB 


20 


0-04-16 


2.48.39-04 BCE40S70C8C063.br 




5/12/2010 8:06 AM 


Test Document 


1 KB 


□ 20 


0-04-16 


2.48.39-04 BC840S70C80063.br 


.meta 


5/12/2010 8:06 AM 


META File 


1 KB 


5ff 20 


0-04-16 


2_48_39-04BC840S70C80063.br 


.p7 5 


5/12/2010 8:06 AM 


PKC.S#7 Signature 


1 KB 



*!5 Evidence Signature Verification Tec 



C -Jse^TeitOov,- oecs^id-nceU EA24_- 5A- ?^ 




04BC840A42 580071. 

04BC840A30C5007&. 

04BC840A62430072.- 

04BC&40A81 930074. 

04BC840A70CB0073. 

04BC8409CDC2006C.- 

Adivity.log 

04BC8409E)288006D. 

O4BC8409FODAO06F. 

04BC6409D2C900SE. 

04BC84QBQO74O07B. 

04BC84OB53D4O07A. 

04BC84QBE 2530070 

04BC84OC5J220O7E.1 

04BC&40C50AD0O7D 

04BC84QAC1460Q76. 

O4BC840AB084OO75. 

O4BC&40AC18BOO77. 

04BC840AD2410079. 

MBCMOAaDTOOBt. 



4/16/2010 
4/16/2010 
4/16/2010 
4/16/2010 
4/16/2010 
4/16/2010 

4/16/2010 
4/16/2010 
4/16/2010 
4/16/2010 
4/16/2010 
4/16/2010 
4/16/2010 
4/16/2010 
4/16/2010 
4/16/2010 
4/16/2010 
4/16/2010 
4/16/2010 



12:49:08 PM 
12:49:07 PM 
2:49:10 PM 
12:49:12 PM 
12:49: LI PM 
12:49:00 PM 

12:49:01 PM 
12:49:03 PM 
12:49:01 PM 
12:49:33 PM 
12:49:25 PM 
12:49:34 PM 
2:49:41 PM 
12:49:41 PM 
12:49:16 PM 
12:49:15 PM 
12:49:16 PM 
12*49:17 PM .' Vali 
1_:49:1__M 
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2.2.10 Disconnect 

If a session is established and active to a FinSpy Target, the session can be stopped gracefully through 
"Disconnect". 

Online 



Alex FinSpy 3.00 

O Analyse Data 



W00T SYSTEM Unknown 

. :t Data Evidence Protection 



Unknown 



ove Infection I I Disconnect 



Only one FinSpy Agent can connect to a FinSpy Target at a time. Therefore the "Disconnect" allows 
another FinSpy Agent to connect to the FinSpy Target. 

2.2.11 Remove Data 

Purging of data removes all data for the selected FinSpy Target from the FinSpy Master database. 

To initiate purging of recorded data, expand the respective FinSpy Target in the tab "Target List" and 
click on "Remove Data". 



Archived 


Asus eeePC 901 (muc) 


- EEEPC-3 


SYSTEM LAN 


O Analyse Data 


Evidence Pnotecti^ 


|*K Remove DateN 



2.2.12 Remove Infection 

"Remove Infection" will irrepealably delete the Infection on the FinSpy Target and a further infection is 
not possible without a restart of the FinSpy Target computer. 



Online 



Alex FinSpy 3.00 WOOT SYSTEM Unknown Unknown 

O Analyse Data visualize Data ^ v '^ ence Protection 

Configuration v^N* Live Session Update ^^^^^^^^^^^^ {}) Disconnect 



Exclusively supplied to and aufrKxijed use by oolice, intelligence, security, and other government ager.oes 



FinSpy / User Manual 



65 



2.2.13 Create Target 

A Target is an executable file or Office Document which includes all modules with which a FinSpy Target 
can be monitored. 





Target 


| | Data Analysis 




1 | Create Target 



Click "Create Target" on the left navigation pane of the FinSpy Agent. This will open the Target Creation 
Wizard. 

Within the wizard, to navigate between the dialogs for configuration, "Next" or "Previous" buttons can 
be used or clicking on the items on the left navigation pane is possible. 



* Create Target 



FinSpy 

Genera! 

Network Options 
: , z 

ie e:: Mccu e:- 
Target Options 
User Permissions 
Summary 
Generate 
Infection 



Infection Executable Optic 



Infection Unique ID: 0x4DEB79E2 

Auto-Generated Unique Identifier for infection Executable 



Infection Name: [ Alex FinSpy 3,00 



Descriptive Name of Target 



E" z ecti3n Owner alex (1014) 

NameAJlD of Agent 



Target Operating System 



Linux [Beta) 



A 
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The following dialogs consist of: 



Name 


Description 


General 


Name and heartbeat of FinSpy Installer Package. 


Network Options 


Settings retrieved by the FinSpy Master. 


Self-Removal 


Criteria when the infection removes itself from the FinSpy Target. 


Select Modules 


Defining which modules should be integrated with their settings. 


Target Options 


Advanced configuration of the behaviour of the FinSpy Trojan on the FinSpy 
Ta rget 


User Permissions 


Assigning users to the FinSpy Trojan 


Summary 


Infection Summary 


Generate Infection 


Media or executable with which a FinSpy Target will be infected. 




2.2.13.1 General 

General settings configure the behaviour and identification of a FinSpy Installer Package. Some 
parameters are changeable after infection of a FinSpy Target. 



Infection Executable Options 



Infection Unique ID: 0x4DEB79E2 

Auto- Generated Unique identifier for Infection Executable 



Infection Name: I Alex FinSpy 3.00 



Descriptive Name of Target 

Infection Owner; alex (1014) 

Name/VID of Agent 



The Operating System of the Target has to be chosen. This will result in a different FinSpy Trojan with 
different modules. 
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Target Operating System 





Windows 




Mac OSX 




Linux [Beta.) 













Currently supported are the following Operating Systems: 
Microsoft Windows: 

■ Microsoft Windows 2000 Clean / SP1 / SP2 / SP3 / SP4 

■ Microsoft Windows XP Clean / SP1 / SP2 / SP3 

■ Microsoft Windows Vista Clean / SP1 / SP2 / SP3 (32 Bit & 64 Bit) 

■ Microsoft Windows 7 Clean / SP1 (32 Bit & 64 Bit) 
Apple MacOS: 

■ Mac OSX 10.6.0 -10.6.8 (Intel) 
Linux: 

■ Ubuntu / Debian 

■ Fedora/ RedHat 

■ BackTrack 

■ SuSE 
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2.2.13.2 Network Configuration 

These settings are explained in chapter: Proxy Settings & Application Based Events . 





Relay Configuration 




Relay IP Addresses): 




Relay Port(s): 






tiger.garnma-mternational.de 




1111 










1112 










1113 




iP Address / Hostname 




TCP PortfsJ 







Application Based Events 



Start/Stop the communication depending on the currently running applications: 
Operation Wade: Disabled fcj 
Application Category 
Browser 
Messenge 




I 



.... . _ . 


Additions! Options 


5 30 seconds 

Heartbeat Interval: 


120 


Delay between call-backs from target to Master server 

, , 4 1024 kb/s 
Download Speed Limit: 


unlimited 


Limit the bandwidth usage to a maximum tranfer rote 





2.2.13.3 Self-Removal 

"Infection Limit" specifies the number of FinSpy Targets which can be infected. 
"Infection Self-Removal" is explained in chapter: Infection Self-removal . 





Infection Limit 


Max Infections: | 3 


witl be infected. After this number is reached no new target infections 
ver 


Maximum number of targets that 
will be accepted by the master ser 



Infection Self-Removal 



Scheduled Removal: Never 



Specify a date when the FinSpy Target will automatically remove itself from the target 
Time-Out Removal: 1 \ 

The FinSpy Target will automatically remove itself from the target if it is unable to reach the master 
server within the configured timeframe 



Exclusively supplied to and authorized use by oolice, intelligence, security, and other government agencies 



FinSpy / User Manual 



69 



2.2.13.4 Select Modules 

Check the boxes of respective necessary modules. 

Select the modules that you want to include in the target package below 



\^ Accessed Files 

Ki Record files when they are being accessed. 
Module Size: 12 KB 


"\ Microphone 

G Enable microphone recordings on Target System. 
Module Size: 167 KB 


% Changed Files 

El Record files when they are being modified. 
Module Size: 10 KB 


JjJI Command Shell 

tit Remotely access the command shell 
Module Size: 7 KB 


Deleted Files 

S Record files that are being deleted, 
Module Size: 10 KB 


fii File Access 

Provide live access to the Target fUesystem, 
Module Size: 12 KB 


^ Forensics Tools 
fil Provide tools to gather information from the target 
Module Size: 11 KB 


Keylogger 

El Record all keys that are pressed on the Target System. 
Module Size: 22 KB 


U Printer 

Zi Records the printed documents. 
Module Size: 12 KB 


13 Scheduler 

D Schedule background recordings of several modules. 
Module Size: 7 KB 


Q Skype 

H Record all Skype calls, chats and file-transfers. 
Module Size: 179 KB 


1^ Screen & Webcam 

(5 Record images from the vsebcam and screen. 
Module Size: 12 KB 


VoIP 

Kl Record all VoIP application calls. 
Module Size: 153 KB 






None 1 



Estimated executable file size; If'r KB 



For detailed description how to configure each Module see the following chapters: 



Configuration - 


Microphone 


Configuration - 


Changed Files 


Configuration - 


Deleted Files 


Configuration - 


Keylogger 


Configuration - 


Scheduler 


Configuration - 


Skype 



• Configuration - Screen & Webcam 

• Configuration - VoIP 
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2.2.13.5 Target Options 

Different Installer options can be defined. 

• Install in Master Boot Record of hard-disk 

With this infection, the FinSpy Trojan writes itself to the Master Boot Record of the Target 
system. This requires Administrative privileges on the Target system. But once installed, this 
infection makes the Trojan resistant against Software like e.g. Deepfreeze & Norton Ghost. 



• Vista and Windows 7 usermode infection 



Using the usermode infection will not result to a so called UAC popup within Windows asking for 
administrative privileges. A covert method for the installation but also not as powerful as the 
Trojan will be restricted to the infected user account on the Windows Target. 



Installer Options 



| Install in Master Boot Record of hard-disk 

installing the infection in Master Boot Record ensures Deep Freeze or other simitar services bypass, 
Master Boot Record infection installation is currently supported only on 32-hit systems* 
Administrator privileges are required for installation in Master Boot Record, 

| Vista and Windows 7 use'mcde infection 

Create Vista and Windows 7 usermode infection which will not trigger UAC prompt 



Hiding Techniques 



B Active H:ding on Target 

Use intrusive techniques to hide the infection files, folders, registry entries and network connections. 
By enabling this feature the infection becomes ware suspectible to detection by root-kit detectors. 



A detailed explanation of Hiding Techniques: 
• Hiding Techniques 
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2.2.13.6 User Permissions 

Each creation of a FinSpy Trojan allows assigning users to work with it. Multiple users can be chosen (1). 
Furthermore it is possible to give special rights to each user like establishing a Live Session or configuring 
the FinSpy Target (2). 



User Permissions 



|| LTsername 


Analyse Data 


Live Session 


Configuration | 


Update 


Remove Infection 


Delete Data 




testa 


a 


a 


a 


■ 


■ 


■ 




test* 


a 


■ 


a 


Q 


■ 


■ 


4 

















Note: Only regular users ci 



Choose users to add to the permissions of this Target 



James Tester 
Ih da' user 
lucian da' 2nd user 
blah the user 
bsdfsds 
test 
test2 
test5 



Double click the user to odd it to the permission list Click outside to 
dose and return to configuration. 



2.2.13.7 Summary 

A Summary of the generated infection can be reviewed. Listed is the name of the infection, some 
configuration settings and also all chosen modules. 



Infection Executable Summary 



Infection name AJex FinSpy 3.00 
Infection Unique ID 0x4DEB79E2 
Selected Target Operating System Windows 
The heartbeat interval is set to 30 seconds. 

Infected targets will connect to ttger.garnma-international.de on ports 1111, 1112, 1113.. 1234 
A maximum of 3 targets can be infected. 

Self-removal will be done when no connection to a proxy can be estao s"ed within 1 Week 

Prein stalled and configured Modules ^ * ^ ~% j^g ^ <»> ^ ^ 
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On this final dialogue the infection paths can be selected. 



Additional Infection Paths 



Infected Application 
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Select Application (.exe) to infect with Target Executable. 
H Infected Screensaver 

Select Screensaver f.scrj to infect with Target Executable. 
| Infected Office Document |~~ 

Select Office Document (,doc/j(is) to infect with Target Executable. 
| Infected File 

Select other Fite-Type ta infect with Target Executable (File will be renamed to .extension.exe) 

~\ Advanced File Name Cor ; : : 

Keep original File-Extension usning Name Formatting (Right-to-Leff) Technique. If disabled, the 
file extension will be changed (e.g. fde.jpg.exe) 

mi Ecc:e: e '.'12 iz = 

Create an ISO file that can be written on a CDftlVD that deploys the Target Executable when booting from the device. 



Name 


Description 


Infected Application 


Any executable (*.exe) can be used to merge with the FinSpy Target Executable. 


Infected Screensaver 


Any screensaver (*.scr) can be used to merge with the FinSpy Target Executable. 


Infected Office 
Document 


Any Microsoft Word or Microsoft Excel document can be used to merge with the 
FinSpy Target Executable. The format must be .doc or .xls and NOT .docx or .xlsx! 


Infected File 


Any file (e.g. .jpg, .avi, .ppt) can be used to merge with the FinSpy Target. The file 
extension will change to: 
filename, extension, exe 


Advanced File Name 
Conversion 


In case "Infected File" was chosen, another technique can be used to be even 
more covert. The filename makes use of an RTL (right-to-left) technique. The 
filename will now be: 
exe .filename, jpg 


Bootable ISO Image 


With this infection technique a bootable CD or DVD will be created with which the 
Target system will be infected on boot. 
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Infection Dongle 



| Bootable Infection Dongle 

Install a bootable Operating System on the USB device that deploys the Target Executable when booting from the device. 
H Runtime Infection Dongle 

Install the Target Executable on the USB device that deploys the Target Executable through the Autorun feature. 



Name 


Description 


Bootable Infection 
Dongle 


Creates an USB Infection which allows infecting the Target System during boot. 


Runtime Infection 
Dongle 


Creates an USB Infection Dongle with automatic execution. 
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2.3 FinSpy Agent- Administration 

The Administration on the left pane of the FinSpy Agent gives the possibility to make changes to the 
FinSpy Master, viewing Log files or displaying who is currently using the system. To view and change 
these settings, an "Administrator" user must be logged in. 



Administration 



| Configuration 
| Show Logfiles 
| Agent List 
I License Information 



2.3.1 Configuration 

Within the "Configuration" settings can all important changes made to the FinSpy Master remotely. If 
the Master is not reachable for any reason, the changes need to be done manually. See FinSpy Master - 
Configuration . 



Name 


Description 


User Management 

a 


Users can be added, edited and deleted through the User Management. 


Agent Configuration 


Specify where all exported Data will be saved. 


Network 


Configuration of the Internal and External Network Interfaces. 


Relay Network Configuration 

¥ 


Configuration of connection details for the FinSpy Targets. 
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Email Notification 

a 


Configuration of the Email server, user and password for Email 
notification. 


Updates 

V 


Configuration of the FinSpy Master and FinSpy Target Updates. 


Evidence Protection 


Configuration of the Evidence Protection certificates, logging activity 
and functionality. 


LEMF Interface 

0 


LEMF database configuration. 
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2.3.1.1 Configuration - User Management 

Inside the User Management, System Administrators and Administrators can perform very granulated 
User Management. There are three different types of Users: 

1. System Administrator 

2. Administrator 

3. User 



The following rights are given to each user 



Name 


Description 


System Administrator 


• Create / Delete / Modify ALL Users (Including System Administrators) 

• Configure FinSpy Master (Network, Evidence Protection, Updates, etc) 

• Full functionality of FinSpy 


Administrator 


• Full Target Control of all Targets 

• Target Creation 

• Assign regular Users to Targets 

• Install FinSpy Agent updates 

• All Data Analysis related functionality 


Users 


• Functionality depends on what was assigned to the user 



Note: The upgrade from 2.40 to 2.50 will convert all users to System Administrators by default! 
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By selecting "User Management" all users on the system will be listed. 





Users 


Fullname 


Username 


Role 


i i 






devl 


System mch" ^is-'ato 


x 




user 2 


dev2 


Svsterji Adrinni^lr bt 








dev3 


System A.cn "is.'atc 






1 uc an 




System A.cn rMsirato 










System A.cn "is.'atc 






pierre 


pk 


System Acm r.isirato 


#> 




James Tester 


James 


User 






alfa 


alfa 


System Administrate 






Alex da' Mac MAN 


ab 


System Administrate 


x 




Ih da' user 


Ihl 


User 


X 




lucian da" 2nd user 


-2 


User 






bsdfsds 


IM 


User 






viviana 


vc 


System Administrate 


X 




omega 


omega 


System Administrate 


X 




test3 


osdf 


User 


X 




test 


test 


User 


X 




test2 


test2 


User 






test4 


test4 


User 


X 




:est5 


leit5 


User 


X 




werner test 


wh 


System Administrate 






filrtiP 


alex2 


Administrator 

















It is possible from here to select, add (1) or delete (2) users. 

If a user is added, another box below is displayed. A Username and a Password is required! 



Account Information. 



Username: 
Full names 
Role: 
Password: 
Confirm Password: 



In the last step, one or multiple targets can be assigned for each user. 
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2.3.1.2 Configuration - Agent Configuration 

Inside the Agent Configuration the Export folder is defined. 

This will include all created FinSpy Targets, exported Evidence and updated FinSpy Agent version 
installers. 



Export Options 



Export Folder | C:\U sers\Test\ Documents' 1 ', Fi n SpyAg ent 

Specify the folder where all exported Data will he saved. 



2.3.1.3 Configuration - Network 

The network configuration is divided into two parts. One is for the FinSpy Agent and one for the FinSpy 
Target Connection. 

The Agent interface can be configured to also be reachable not only from the internal LAN, but also from 
the Internet. These settings must be used with caution as it allows connection from outside to the 
FinSpy Master. If this setting is activated, the FinSpy Agent needs to have the external IP of the FinSpy 
Master to connect to it, even though it might be in the same LAN. 



Agent Interface 



Agent Listener Port: 1119 

Allow External Access 

Allow Agents to connect to the Master remotely over the public interface. Note: This is 
a potential security risk, us it enables remote connections to the Master. 



Public interface controls the network settings given by the provider to establish a connection to the 
internet and being reachable from the internet. This can be either set manually "Manual (Static)" or 
retrieved via DHCP from a Router connected to the internet. 



Public Interface 



Network Mode: Manual (Static) 



IP Address: | 192.168.222.35 
Netmask: 



255.255.255.0 



Gatrivay 
Nameserver 1: 
Nameserver 2: 



192.168.222.100 



192.168.0.1 
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2.3.1.4 Configuration - Relay Network Configuration 

The Relay Network Configuration defines a single relay or multiple relays for the connection of the 
FinSpy Target to the FinSpy Master or FinSpy Relay. These settings will be retrieved by the FinSpy Agent 
during creation of a FinSpy Target and set automatically. 



Re lay Configuration 



Relay IP Addresses): 



tiger.garnnna-international.de 



Relay Portfc]: 



1111 
1112 
1113 



IP A ddress / Hostname 



TCP Port® 



2.3.1.5 Configuration - Email Notification 

Settings for the Email notification can be set here. They can be differentiated in templates: 



• Local MTA (the FinSpy Master Mail server) 

• Predefined Free Mailer 

• Custom 



Email Notification 



Template: 



Server: smtp.googlemail.com 



Port: 465 



Username: use r@g mail. corn 



3 ass word: | password 
Email Address 
From Name: fs-notrfier 



U5er@grnail.com 



Auth Type: login 
SSL/TLS 




Every template needs some minor adjustments like sender Email address, username, password or the 
From Name. 
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2.3.1.6 Configuration - Updates 

Updates of the FinSpy Master Software and the FinSpy Target Modules can be defined here. Both can be 
set to "Automatic" or "Manual". Automatic Updates will be checked in a short interval, which is 
normally 24 hours, for a newer version on the Update Server provided by Gamma International. With 
"Manual" an update check will be performed only on user request. 



Master Update 



Update Mode: 



Set to 'Automatic' to enable regular update cheeks by the Master. In 
case an update is available, it v/ill be automatically installed. 



Target Update 



Update M:de: Manyal 



Set to 'Automatic' to automatically update the Target software on 
each Target System whenever an update is available. 



2.3.1.7 Configuration - Evidence Protection 

To access this feature on the FinSpy Agent, it must be enabled on the FinSpy Master first. Therefore 
"Evidence Protection" has to be set to "Full" (1). In the case, that only the Activity on a Target should be 
logged, this option can also be set to "ActivityLog only". 

Once the feature is activated on the FinSpy Master all the new collected evidence will be digitally signed 
using a FinSpy Master self generated key. The capability of importing an own key into the FinSpy Master 
is also given (2). 

Furthermore the Logging Level (3) can be defined to: Minimal, Normal, Verbose or completely disabled. 



Evidence Protection 



c 



Evidence Protection: 



11 



^^^^^^^^^TSaHe^/SHoggK^^^TperformeJ operations and digital signing of alt acquired evidence. 
^^^^^^^^^^^erial=EQAF99F0DlB41F19 subject- /CN-FinSpyMaster notAfier-Mar 14 1328:29 2020 GMT 

2 



Get Certificate I Import Certificate 



'Get Certificate ' allows you to extract the Certificate required by the Evidence Verification tool in 
order to ensure the integrity of the exported Evidence. 'Impart Certificate' enables you to use a 
custom Certificate far the signing of acquired Evidence. 

^^^^^^^^^^^^^jy.ormaj. j Q 

J* Configure the verbosity of the activity log file. 
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2.3.1.8 Configuration - LEMF Interface 

For the integration of an external LEMF Interface this option must be enabled. The FinSpy Master server 
has a dedicated network interface (eth2) for those interactions. 

To specify the external database the following options can be given: 

Server 
Port 

Interval Limit 
Datasize Limit 
Archive Lifetime 



LEMF Interface 



Data submission: 



Enable the Submission interface in order to transmit atl received Data over the dedicated network 
interface to an external Database. 



Submission Type 



Automatic transmission of accumulated data triggered by the interval limit or datasize limit or martua 

Server. 



Port | 
Interval Limit 
Datasize Limit 
Archive Lifetime: 



The lifetime of archived transmitted sessions or stored sessions in case of Manual Submission type. 
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2.3.2 Show Logfiles 

The Logfile viewer lets you monitor the Logs of the FinSpy Master very comfortably. 
This Logfile can be divided into three categories: 

• Info 

• Warning 

• Error 

All data will then be shown with its Date, Category and Event Description. 

Additionally, all the data can be exported to view the log files offline or with some other editor. 



Master Logfile 



Date 


Category 


Event Description 


l 


Wed Jun 23 17:01:08 2010 


INFO 


Software Info: 




Wed Jun 23 17:01:08 2010 


INFO 


Master Module, Rel ease 2. 36 




Wed Jun 23 17:01:08 2010 


INFO 


Master is running in DEFAU LT operation mode 




Wed Jun 23 17:01:08 2010 


ERROR 


Target GxEE34B729 has already a Target License ['3706317O-7eb7-lldf-... 




Wed Jun 23 17:01:08 2010 


ERROR 


Error allocating memory reading the Target License File 




Wed Jun 23 17:01:54 2010 


INFO 


Software Info: 




Wed Jun 23 17:01:54 2010 


:kfo 


Master Module, Rel ease 2. 36 




Wed Jun 23 17:01:54 2010 


INFO 


Master is running in DEFAU LT operation mode 




Wed Jun 23 17:01:54 2010 


INFO 


ETorooen ~g Target License File V'usr/local/finspy_mas:e r _devel/data/f... 




Wed Jun 23 17:01:54 2010 


INFO 


gbl_socket_listen: All interfaces, port: 1119 




Wed Jun 23 17:01:54 2010 


INFO 


gbl_socket_listen returns 0.. socketjd = 3.. port = 1119, errno = 0 




Wed Jun 23 17:01:54 2010 


INFO 


Trying to create new thread 1 




Wed Jun 23 17:01:54 2010 


INFO 


Created new upda:e thread = a5809b70 




Wed Jun 23 17:01:54 2010 


INFO 


Trying to congee: to Proxy local host', port 1118 




Wed Jun 23 17:01:54 2010 


INFO 


Trying to create new thread 2 




Wed Jun 23 17:01:54 2010 


INFO 


Created new upda:e thread = a4dffb70 




Wed Jun 23 17:01:54 2010 


INFO 


Trying to create new threac 3 




Wed Jun 23 17:01:54 2010 


INFO 


Created new upda:e thread = a45feb70 




Wed Jun 23 17:02:00 2010 


INFO 


Master terminals 




Wed Jun 23 17:02:09 2010 


:kfo 


Software info: 






i»im 


1 1 i 11 J-.i n I 1 ->tL 





Show Category: Q Info 



Warning Q Error 



Export Logfile 
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2.3.3 Agent List 

If the Administrator of the FinSpy System wants to have an overview about all Agents, the "Agent List" 
can be used. It will show all necessary information about an Agent like connection information. 



^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 


use-ma me 


I Login 


uroup 


Agem uiu 


Login lime 


Logon lime 


ir I version 


I uonnecrea 10 larger 


user 1 


devl 


System Administrator 


0 










user 2 


dev2 


System Administrator 


0 










user 3 


dev3 


System Administrator 


0 










ludan 


Ih 


System Administrator 


0 










a lex 


a lex 


System Administrator 


2096151718 


2010-07-12 11:41:57 


still togged in 


217.165.14S.226 2.36 


Ih devel vmware xp 



Name 


Description 


Username 


Description of the User 


Login Name 


Username which is used to login 


Group 


Group to which the User belongs 


Agent UID 


Unique ID of each FinSpy Agent Software 


Login Time 


Since when is the user logged in 


Logoff Time 


When the user logged off 


IP 


From which IP the user logged in 


Version 


Which client version is the user using 


Connected To Target 


To which target is the user currently connected 
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2.3.4 License Information 

Licenses can be imported through the FinSpy Agent directly and will be active immediately. Information 
given for the license: 



Machine UID 
Software UID 
Software Name 
Customer UID 
Valid From 
Valid Until 
Number of Targets 
Number of Agents 
Version Type 
Status 



FINSPY 



License Information 



Machine UID: 
Software UID: 
Software Name: 
Customer UID: 
Valid From: 
Valid Until: 



FinSpyV2 
C71591B2 

12/12/2012 7:21PM 



Number of Targets: SO (13 in use) 

Number of Agents: 30 

Version Type: Demo 

Status: Valid (556 days teft) 



Import License Done 



Exclusively wpptied to and authoiijed use by oolice, intelligence, security, and other government agencies 



FinSpy / User Manual 

85 



2.3.5 LEMF - Data Management 

The LEMF - Data Management feature allows the user to take control over the data flow from the FinSpy 
System to the configured monitoring centre. Data is collected on the FinSpy System into sessions. Once 
the configured time threshold is reached or the configured data quantity threshold is reached the 
session is finalized and the data is transmitted to the configured Monitoring Centre. All the transmitted 
sessions are archived and keep on the FinSpy system for the configured period of time. 

Through the LEMF - Data Management the user is able to review all the transmitted sessions and has 
the capability to resend full sessions or just specific data from a certain session. 



FinSpy 



| Data Analysis 
I Crea;e "arget 



I Configuration 
| Show Logfiles 
| Agent List 
| License Information 



I Data Management 



I About 

| Online Help 



. Tarajet List ^LEMF^atj^Managemen^J 



Transmitted Data Statistics 



T^ansmitteG Sess ons C containing C "ilss with a total of 0 B 

Current open session 0 files with a total of 0 B 

Last Transmission 1/1/1970 12:00:00 AM 

Retransmitted Sessions C containing 0 files with a total of 0 B 
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FINSPY MASTER 
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This chapter will cover the installation and configuration of the FinSpy Master. The FinSpy Master is the 
central data collector and manages the data. The FinSpy Master includes the FinSpy Proxy. The FinSpy 
Proxy retrieves the data from the FinSpy Target and the FinSpy Relay connections. 

The default setup should look like this: 



GAMMA Updete Server 

Default Pant: <a£B62 

□ efaufc Hostname: updBte.gammo-internetional.de 




Router /GW 

Provides an ip-addpsss. vis 
DHCP far FinSpy Proxy 



FinSpy Target 

Bends Heartbeat to 
FinSpy Proxy 



FinSpy Proxy 

Default IP: 
Default Ports: 
Default Interface: 



via DHCP from Router / Default GW 

erbitrsry e.g. 22 h 53, BO, 41 1 1 

ethO 




FinSpy Master- 
Default IP; 1 □ 77<77. 1 
Default Ports: 91 19 
Default Intsnfacs: Btfn 1 



Data Forwarding Interface 

□efauttIP 1 79.16.77.1 

Default Ports: — 
LJnfnu r. Interface: eth£? 



FinSpy Agent 

10.77.77.D/24 





Monitoring 
Center 

1 72.1 B.77.D/04 

static 
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2.4 FinSpy Master - Installation 

Except the License, the FinSpy Master software is preinstalled on the FinSpy Master hardware. This 
means, only the license needs to be generated and installed via a Machine-ID. 

This Machine-ID must be sent to your GAMMA sales contact to request the license package which 
contains the valid license. The following command will generate the Machine-ID: 

# sudo /usr/local/ f inspy master/bin/generate machine id -x 

If you retrieved the license package from the GAMMA support, don't unpack it. Copy the archive to a 
USB stick or burn it to a CD-ROM. 

Mount USB-Stick or CD/DVD on the FinSpy Master: 

CD-ROM: 

# sudo mount /media/cdromO 



USB-Stick: 

# sudo mount /dev/sdbl /mnt/usb 



Copy the license archive to /usr/local/finspy_master/data/license 
CD-ROM: 

# cp / media/ cdromO / CERTS -F INS PYV2-Customer_ID-Machine_ID-XX . DAYS . zip \ 
/usr/local/ f in spy_master /data/ license 

USB-Stick: 

# cp /mnt/usb/CERTS CERTS-FINSPYV2-Customer_ID-Machine_ID-XX.DAYS.zip \ 
/usr/local/ f in spy_master /data/ license 
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Change the directory and unzip license file. 



# cd /usr/local/f inspy_master /data/license 

# unzip CERTS-FINSPYV2-Customer_ID-Machine_ID-XX.DAYS.zip 



Remove license zip file 



# rm CERTS-FINSPYV2-Customer_ID-Machine_ID-XX.DAYS.zip 



The license is now successfully installed. 
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2.5 FinSpy Master - Configuration 

This chapter will guide through the steps how the FinSpy Master needs to be configured correctly to 
work. 

The main configuration file for the FinSpy Master is the "finspyjnaster.cfg". 
2.5.1 General 

The default template needs to be renamed to activate the changes. 



# cd /usr/local/f inspy_master/data/ 

# cp f inspy_master . cf g_template f inspy_master . cf g 



To edit the file the text editor "nano" can be used. 



#nano /usr/local/ f inspy_master/ data/ f inspy_master . cf g 



Now the following parameters need to be activated and / or edited: 



FIN AGENT NETWORK INTERFACE = ethl 



FIN PROXY 1 = 127.0.0.1, 911 £ 



# use the Ports as defined in f inspy_proxy . cf g as FIN_TARGET_PORTS 
FIN_TARGET_PROXYl = PROXY-IP/HOSTNAME, PROXYPORTS 

# could be changed to another mount point e.g. /mnt/data 

# The internal HW-RAID shall be used 
FIN_REPOSITORY_VOLUME = /mnt/xyz 



Exclusively wpptied to and aufrKxijed use by oolice, intelligence, security, and other government agencies 



FinSpy / User Manual 



91 



2.5.2 Users Management 

In the first step it is necessary to create users which are able to connect to the FinSpy Master. 



# cd /usr/local/f inspy_master/data/ 

# sudo cp f in_passwd_template .fin_passwd 



Open the .fin_passwd to create, change or delete user accounts. 



# sudo nano .fin_passwd 



This will show the template data in the following structure: 

userid ; groupid ; login name ; user description ; password ; database permission ; file permission 
The following parameters can be changed: 

userid ; login name; user description; password 

Note: "login name" and "password" have a maximum length of 16 characters where ";" is not allowed as 
a character. 



All other values are reserved for future releases and should not be changed! 
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2.5.3 Update - Automatic 

The configurations for the Updates are also stored in the "finspy_master.cfg" and should not be 
changed! 



FINUM 


SERVER 


= update.gamma-international.de 


FINUM 


PORTS 


= 42662 


FINUM 


DESTINATION PATH 


= . . / updates 



To force an update request the FinSpy Master needs to be stopped and started which will make the 
FinSpy Master automatically connect to the GAMMA Update server. 




# sudo /etc/init.d/f inspy__master st 

# sudo /etc/init.d/finspy_master start 




To check for the currently installed version, you can use the following command: 



# cat /usr/local/f inspy_master/data/version 
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2.5.4 Update - Manual 

To update the FinSpy Master manually the latest version can be obtained via E-Mail from the Gamma 
support. The two files will be "finspy_master_2-xx.ggi" and "finspy_proxy_2-xx.ggi". The files must be 
copied to a USB-Stick or burned to a CD/DVD. 

Mount USB-Stick or CD/DVD on the FinSpy Master: 
CD-ROM: 



# sudo mount /media/cdromO 



USB-Stick: 



# sudo mount /dev/sdbl /mnt/usb 



Both files must be copied to the /tmp directory 
CD-ROM: 



# cp /media/cdromO/* /tmp 



USB-Stick: 



# cp /mnt/usb/* /tmp 



Change the directory and execute the files 



# cd / tmp 

# . / f inspy_master_2-xx . ggi 

# ,/finspy proxy 2-xx.ggi 
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2.5.5 Evidence Protection 

By default the "Evidence Protection" feature is disabled. To activate it, the following configuration 
switch in the "finspy_master.cfg" needs to be changed to "true". 



FIN EVIDENCE PROTECTION = true 



To activate the changes, the FinSpy Master needs to be restarted: 



# 


sudo 


/ etc/ init 


d/finspy master 


stop 


# 


sudo 


/ etc/ init 


d/finspy master 


start 
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2.5.6 E-Mail Notification 

By default, FinSpy Master is using its local MTA (Mail Transfer Agent). No Auth & TLS is used. Following 
parameters are necessary: 



# IP-Address of MTA: 
FIN_MX_NOTIFY_SERVER = 127.0.0.1 

# SMTP Port: 
FIN_MX_NOTIFY_PORT = 25 

# Authentication Mode: 

F I N_MX_N OT I F Y_AU T H = plain 

# RCPT FROM - User (exim only accept "FinSpy-MP" Domain! case sensitive!) 
FIN_MX_NOTIFY_SENDER = fs@FinSpy-MP 

# Alias = arbitrary: 

FIN MX NOTIFY ALIAS = fs-notifier 



FinSpy Master can also use a free webmail service (e.g. Gmail) to transport all notification messages. 
Most of them need pre-authentication & TLS! 



# Hostname (SMTP Server Gmail) : 
FIN_MX_NOTIFY_SERVER = smtp.googlemail.com 

# SMTP - Port: 
FIN_MX_NOTIFY_PORT =25 

# GMAIL Username: 

FIN_MX_NOTIFY_USER = user@gmail . com 

# GMAIL - Password: 
FIN_MX_NOTIFY_PASS = top_secret 

# GMAIL required TLS: 
FIN_MX_NOTIFY_TLS_ENABLE = yes 

# TLS Auth. type = login: 
FIN_MX_NOTIFY_AUTH = login 



# Sender = GMAIL Username: 
FIN_MX_NOTIFY_SENDER = user@gmail.com 

# Alias = arbitrary: 

FIN MX NOTIFY ALIAS = fs-notifier 
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The FIN MX NOTIFY ALIAS will act as the Sender Name. 



| Alias | <fs-notifier @FinSpy-MP> 
finspy MTA check 



To activate the changes, the FinSpy Master needs to be restarted: 



# 


sudo 


/ etc/ init 


d/finspy master 


stop 


# 


sudo 


/ etc/ init 


d/finspy master 


start 
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2.6 FinSpy Master - Proxy Configuration 

The FinSpy Proxy needs a minimal setup as almost everything is already preconfigured. The FinSpy Proxy 
needs to know on which ports it will listen. 

The main configuration file for the FinSpy Master is the "finspy_proxy.cfg". 
The default template needs to be renamed to activate the changes. 



# cd /usr/local/f inspy_proxy/data/ 

# cp f inspy_proxy . cf g_template f inspy_proxy . cf g 



To edit the file the text editor "nano" can be used. 



# nano / usr/ local/ f inspy_proxy/ data/ f inspy_proxy . cf g 



Now the following parameters need to be activated and / or edited: 



FIN_MASTER_NETWORK_INTERFACE = lo 
FIN_TARGET_NETWORK_INTERFACE = ethO 
FIN TARGET PORTS = 22,53,80,443,4111 



To activate the changes, the FinSpy Master needs to be restarted: 



# 


sudo 


/ etc/ init 


d/finspy proxy 


stop 


# 


sudo 


/etc/init 


d/finspy start 


start 
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2.7 FinSpy Master - Remote and Offline Master Configuration 

It is possible to setup a Remote Mode and Offline Mode. They basically split the FinSpy Master 
functionalities in two FinSpy Masters with complementary limited functionalities. 

The Offline Master has the recorded files in the database and the FinSpy Agent can process data while 
the Remote Master is contacted by the targets and stores the received, encrypted recordings. The 
recorded files have to be imported with the Agent to the Offline Master. This gives a higher security to 
the Offline Master if remote attacks are conducted. 



2.7.1 Remote Master Configuration 

To setup the Remote Master the following parameter must be added into the "finspy_master.cfg" file. 
Set Remote Master Mode: 

FIN MASTER MODE = REMOTE 



Copy required certificates and the fin_target_licenses.txt from Offline Master to USB Stick 



# 


sudo 


mount /dev/sdXX /mnt/usb 




# 


sudo 


cp /usr/local/ f inspy master/data/certs/tro j an-commu* 


/mnt/usb 


# 


sudo 


cp /usr/local/ f inspy master/data/fin target licenses 


txt /mnt/usb 


# 


sudo 


umount /mnt/usb 





Copy required certificates and the fin_target_licenses.txt from USB Stick to Remote Master 



# sudo mount /dev/sdXX /mnt/usb 

# sudo mv /mnt/usb/troj an-commu* /usr/local/f inspy_master/data/certs/ 

# sudo mv /mnt/usb/f in_target_licenses . txt /usr/local/f inspy_master /data/ 

# sudo umount /mnt/usb 
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To activate the changes, the FinSpy Remote Master needs to be restarted: 



# 


sudo 


/etc/init 


d/ f inspy 


proxy stop 


# 


sudo 


/ etc/ init 


d/ f inspy 


master stop 


# 


sudo 


/ etc/ init 


d/ f inspy 


proxy start 


# 


sudo 


/ etc/ init 


d/ f inspy 


master start 













2.7.2 Offline Master Configuration 

To setup the Offline Master the following parameter must be added into the "finspy_master.cfg" file. 
Set Offline Master Mode: 

FIN MASTER MODE = OFFLINE 



Assume FIN_TARGET_PROXY_l values from Remote Master 

FIN TARGE T_PROXY_l = (same values as Remote Master) 



To activate the changes, the FinSpy Offline Master needs to be restarted: 



# 


sudo 


/ etc/ init 


d/finspy master 


stop 


# 


sudo 


/ etc/ init 


d/finspy master 


start 
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2.7.3 Data Transfer 

It is necessary to transfer data from the Remote Master to the Offline Master and then it needs to be 
imported into the database. 

2.7.3.1 Export Data from Remote Master 

• Connect Agent to the Remote Master 

• Please select Data Transfer 



FinSpy 

| Target List 
| Data Analysts 
| Create Target 



g Ccrig-ratior 
| Show Logfiles 
| Agent List 



| Data Transfer 



■ About 

| Online Help 



target devel 6 




■ XP-SP3-X86 




SYSTEM 


LAN 


192.163.0.145 




2,43 


target devel 4 




' XP-SP3-X86 




SYSTEM 


LAN 


192.163.0.145 




2.43 


Archived 


target L 




■ XP-SP3-X86 




SYSTEM 


LAN 


192.163.0.145 




2.43 



| Logoff [userl) 
FinSpy Agent Version 2.4S (Connected to Remote Masta 
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• Select Export 




FinS PY 



I Target List 
| Data Analysis 
| Create Target 



■ Cc"ng-ra:i;r 
| Show Logfiles 
| Agent List 
I Data Transfer 



| About 

| Online Help 



Choose the fife exported frc-r: the O^ine ■'■■aster r-vhich certains the c-ffi-r-e a:get Conner-ration. The data : ■■■-<■': be noshed to the Targets as soon as they are comming 
online. 



Remote KasterDara Archive: C:\Us2ra\ht\Documenb\RnSpyAgent\2010-10-1^14^3^.niida 

Choose a (ocatfon where to export Evidence Protection information: information abctit the Target status (Yew targets.- removed targets, „.)as wef/as Target recoi 



f Export J! 



| Logoff [userl) 
RnSpy Agent Version 2.43 (Connected to Remote Master) 
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2.7.3.2 Import Data to the Offline Master 



Connect Agent to the Offline Master 
Select Data Transfer 



FinSpy 

| Target List 
| Data Analyse; 
| Create Target 



|CofifiguratiQn 
| Show LogFiles 
| Agent List 



I Data Transfer 



■ About 

| Online Help 



target devel 6 
target devel 4 

Archived 



target L 



XP-SP3-X36 
XP-SP3-X36 



jnjxj 



SYSTEM LAN 
SYSTEM LAN 



192.163.0.145 & 2,43 
192.163.0.14.5 Q 2.4S 



S V STE'- J LmN 



132.163.0.145 



| Logoff [userl) 
FinSpy Agent Version 2.43 (Connected to Remote Master) 
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• Select Import 



Fin Spy 

| Target List 
| Data Anal/sis 
| Create Target 



s LC"ng-ra:i:r 
| Show Logfiles 
| Agetit List 
| Data Transfer 



| About 

| Online Help 



Targe: Lis: Offline Master Data Transfer 



Remote KasterDa:a Archive: C:VJs5rs\ht\Documents\RnSpyAgeiit\20 10- 10- 1^17-11-58. rmda 



Choose the ft? which contains the data etpoded from -re Offline Master, ihe Arch-ve contains updated Evidence Protection information, information about the Target 
Status {new targets, r^m-JieU ifges, ...Jas :vs;i as Target recorded data. 



Sfflire MasterCon'igura:icn Archive; C:\User5\ht l ,DDCLir(ert:-'i,FriSpy"ig5ri: ,, ,20L0-L0-L4-L7-13-17.onTca ^Efl 

Choose a location where to save the Target Offline configuration infbrmaSon. This information should be imported 'on the Remote Master which will push it to the Targets. 



g| Logoff [finspy) 
Hn5py Agent Version 2.48 (Connected to Offline Master) 
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2.8 FinSpy Master - Monitoring 

There is a monitoring daemon installed on the system which checks and if necessary restarts 
applications like FinSpy Master and FinSpy Proxy. 

The software being used is "monit". Monit automatically checks if the defined services are running. 

FinSpy Master and FinSpy Proxy need to be configured first. 

In the following "finspy_xxx" is mentioned which stands for both commands: 

• finspy_master 

• finspy_proxy 

Configure "monit" daemon to monitor finspy_xxx: 

# sudo monit monitor finspy_xxx 

# sudo /etc/init . d/monit restart 



Check if finspy_xxx is running: 

# sudo monit summary 

The following results may appear 

Successful: 

Process 'finspy_proxy' 

Failed: 

Process 'finspy_proxy' 
Process 'finspy_proxy' 



running 

not monitored 
Does not exist 
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2.9 FinSpy Master - Port forwarding 

It is necessary that the FinSpy Master is able to retrieve packets from the internet through a Router or 
Firewall. Normally, Router or Firewalls will block TCP packets which come from outside. That means that 
some ports on the Router or Firewall must be forwarded to the internal network. This is a so called Port 
Forwarding. 

Every Router or Firewall handles this differently. Please check the corresponding manual on how to do 
this. 

In the following example a Linksys Router was chosen. In this case our FinSpy Master has the IP 
"192.168.1.102" and should retrieve packets on the Ports 21, 25, 80 and 443. 



LlNKSYS by Cisco 


Firmware Version: 2.00.00 BOB 


Applications & 

Gaming ""-*™ 


Simultaneous Dual-Band Wlreless-N Gigabit Router WRT610N 


Access Applications* . . . . 
Security Storage Restrictiorls Gaming Administration Status 


Single Port Forwarding 


| Port Range Forwarding | Port Range Triggering | DMZ | QoS 


Forwarding | 



Application Nil me 



None V 



None V 



I None 



HTTPS 



External 
Port 


Internal 
Port 


Protocol 


To IP Address 


Enabled 








192. 166. 1. [0 










192. 166. 1. 0 










192. 166. 1. |0 










192. 166. 1. [5 










192. 166. 1. [0 




[21 | 


|21 | 




192. 168. 1. [l02] 


a 


l» ] 


l«° I 




192. 166. 1. |1Q2 | 


■ 


[25 ] 


l= ] 




192. 166. 1. [1Q2 | 


a 


|443 | 


|443 | 


TCP V 


192. 168. 1. [1Q2 | 


a 
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2.10 FinSpy Master- Dynamic DNS 

If the FinSpy Master doesn't have the chance of retrieving a public static IP address, a dynamic DNS can 
be used. A dynamic DNS service allows users to have a subdomain that points to a computer with 
regularly-changing IP addresses. 

On the FinSpy Master this can be realized with a small application called "ddclient". "ddclient" is used to 
update dynamic DNS entries for accounts on Dynamic DNS Network Services' free DNS service. Various 
free DNS services can be used like DynDNS.com 

To use "ddclient" a registration is required on the page. 

To install ddclient: 

# sudo aptitude install ddclient 



It will ask several questions during the installation. 
Which service shall be used: 

Please select the dynamic DNS service you are using. If the service you use is not listed, choose "other" and you will be asked for the protocol and the server name. 
Dynamic DNS service providers 

www., easydns, com 

ds I reports -com 
www. zoneedit.com 
other 

<Ofc> 



Username which is registered on the service: 
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Auto retrieval of the IP address: 



Configuring ddclient 



Please choose whether ddclient should try to find the IP address of this 
machine via the DynDNS web interface. This is recomnended for machines 
that are jsing Network Address Translation, 




Updating host: 



1 Configuring ddclient | 

You'll have to select which host names to update using ddclient. You 
can select host names to update from a list f taken from your DynDNS 
account) or enter them manually. 

Selection method for updated names: 



From list 



Manually 

<0k> 



After the installation, everything should run fine now with the host finspy-test.dyndns.com. 

If some configuration needs to be changed, the configuration file is located at "/etc/ddclient.conf" and 
should look like this: 



protocol=dyndns2 

use=web, web=checkip . dyndns . com, web-skip= ' IP Address' 
server=members . dyndns . org 
login=f inspy-test 
password^' df Uc ! 4 5Xf P ' 



Username and Password can easily be edited. 
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3 FINSPY RELAY 



4 FinSpy Relay 108 

4.1 FinSpy Relay - Configuration Options 110 

4.2 FinSpy Relay -Windows Ill 

4.2.1 Prerequisites Ill 

4.2.2 Installation 114 

4.2.3 Monitoring 118 

4.3 FinSpy Relay- Linux 120 

4.3.1 Prerequisites 120 

4.3.2 Installation 121 
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The FinSpy Relay will handle and relay all connections from the FinSpy Target to the FinSpy Master. The 
FinSpy Relay acts as a proxy between those two endpoints. This will help by not having a direct 
connection from the FinSpy Target to the FinSpy Master. Instead, the FinSpy Relay can reside in any 
place in the world. 

The FinSpy Relay is a small program which can be installed on most Windows and Linux Operating 
Systems. 
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3.1 FinSpy Relay - Configuration Options 

The FinSpy Relay runs according to the settings from the "relay.cfg" file which can be found in the 
following directories. 

Windows: In the same directory of the binaries where FinSpy Relay was installed 
Linux: /usr/local/fj relay/data/ 



The "relay.cfg" file contains the following settings: 



Name 


Description 


CFG_TARGET_PORTS 


Contains the ports where the FinSpy Relay "listens" for incoming FinSpy Target 
connections, e.g.: 

CFG_TARGET_PORTS = 1111, 1112, 1113 


CFG_NEXT_HOP_l 


Contains the Hostname and ports where the Relay should connect to (next 
FinSpy Relay or FinSpy Master/Proxy), e.g.: 

CFG_NEXT_HOP_l = 192.168.0.49, 1111 


CFG_SOCKET_TIMEOUT 


Contains the socket read/write timeout in seconds, e.g.: 
CFG_SOCKET_TIMEOUT = 10 



The default template of the "relay.cfg" which comes with the FinSpy Relay: 



# Configuration file for the Relay Module 

# list of ports for incoming (target-side) connections: 
CFG_TARGET_PORTS = 2000 

# Next hops to connect (relays, proxy) 
CFG_NEXT_HOP_l = hostname, 2050 

# socket read/write-timeout (in seconds) 
CFG SOCKET TIMEOUT =10 



Exclusively suppled to and autrxxijed use by oolice, intelligence, security, and other government agencies 



FinSpy / User Manual 



111 



3.2 FinSpy Relay - Windows 



3.2.1 Prerequisites 



Name 



Description 



Windows Firewall 



To operate a Windows Computer as a FinSpy Relay, the following preparation must 
be made. The Windows Firewall should be instructed to let the FinSpy Relay accept 
and forward data. The Windows Firewall is enabled by default on every Windows 
Computer. 



Programs (1) 

Windows Firewall with Advanced Security 

-o D ane 13) 

Windows FirejA all 



* pic;i 
Windows Firewall 



uqh 'Windows Firewall 



Set firewall security options to help protect your computer from hackers 
and malicious software. 



wind owe firewall 
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Click "Allow a program through Windows Firewall". 



|£jf Windows Firewall 




Windows Firewall 



Windows Firewall can help prevent hackers- 
Internet or network, 



sens 



ilicicus scft-,\ are from gaining access to ycur computer through the 



■$5$ Windows Firewall is helping to protect your computer 



Windows Firewall is on. 

All inbound connections are h locked, 

Ciipi-s ; fication when a program isblocked: 

Network location: 

What are network locations? 



f Change settings 



Public network 



At the "Exceptions" Tab, click "Add Port" in order to add the ports the FinSpy Relay will be working with. 



titf Windows Firewall 



Windows Firewall 

Windows Firewall can help prevent hackers or malicious software from gaining access to your computer through the 
Internet or network, 

How does a firewall help protect my computer? 
'ojJ^P Windows Firewall is helping to protect your computer 



Windows Firewall is on, 
All inbound connections 
Display a notification whe 
Network location: 
What are ■:■ y. : :.' : 1 



'.)(" Lhange settings 




^ Windows Firewall Settings 



General | Exceptions | Advanced | 



Windows Fiiev a •:■ bfo^t --c nccming network connections including the 
exceptions selected below. 

Windows Firewall is currentiy using settings for the public network location . 
V.-'hat are the risks of unblocking a program? 

To enable an exception , select its check ban ; 



Program or port 
□ 

□ Connect to a Network Projector 
0 Core Networking 

□ Distributed Transaction Coordinator 
0File and Printer Sharing 

□JSCS Service 

□ Media Center Extenders 
0 Microsoft Office Outlook 

□ Netiogon Service 
0 Network Discovery 

Q Performance Logs and Alerts 

□ Remote Administration 



| Add program,. 



{7} Notify me when Wim 



Properties 



Jocks a new program 
[ Canci 



Q Turn Windows Firewall on or 
off 

Q Allow a program through 
Windows Firewall 



See also 

Security Center 
[Network Center 



Exclusively supplied to and authorized use by oolice, intelligence, security, and other government agencies 



FinSpy / User Manual 



113 



Enter one of the ports where the FinSpy Relay "listens" for the Targets or a port used by the FinSpy 
Relay to send out data. 



1^ Windows Firewall Settings 



General | Exceptions [Advanced | 



Windows Firewall is blocking incoming network connections including the 
exceptions selected below. 



Windows Firewall is currently using settings for the public network location. 



Add a Port \w 

Use these settings to open a port through Windows Firewall. To find the 
port number and protocol, consult the documentation for the program or 
service you want to use. 



Name: 



Port number: 1111 
Protocol: jqp 
UDP 

What are the risks of opening a port? 
Change scope... 



[J] Notify me when Windows Firewall blocks a new program 



Apply 



Now the ports must be selected in the exception list to activate them. 



jjjf Windows Firewall Settings 



General I Exceptions Advanced 



Windows Firewall is blocking incoming network connections including the 
exceptions selected below. 

Windows Firewall is currently using settings for the public network location. 
What are the risks of unblocking a program!' 

To enable an exception select its check box: 



Program or port 

0 File and Printer Sharing 

□ iSCSI Service 

□ Media Center Extenders 
0 Microsoft Office Outlook 

□ Netiogon Service 
0 Network Discovery 

□ Performance Logs and Alerts 
El l 

□ Remote Administration 

□ Remote Assistance 

□ Remote Desktop 

□ Remote Event Log Management 





| Add program... | 


| Add port. . . 


| Properties 


Delete 



■f Notify me when Windows Firewall blocks a new program 



Apply 



Redo the steps in order to add all the ports used by the FinSpy Relay for incoming and outgoing ports. 
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3.2.2 Installation 

To install the FinSpy Relay in Windows the Installer needs to be executed. 
The filename is: Relaylnstaller_2.xx.x.msi 
This will start the installation. 



j$ FFRelay Setup 




1® 


Welcome to the FFRelay Setup Wizard 




The Setup Wizard will install FFRelay on your computer. Click 
Next to continue or Cancel to exit the Setup Wizard, 


Bade |£ Next j | Cancel 



At the License Agreement "I accept the terms in the License Agreement" must be selected. 



f£J FFRelay Setup ED 
End-User License Agreement 

Please read the following license agreement carefully 



Relay License 



I Print | | Back | [ [jext ~j | Cancel | 



Now the directory where the FinSpy Relay will be installed can be chosen: 
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J$ FFRelay Setup 
Destination Folder 

Click Next to install to the default folder or dick Change to choose another . 



Install FFRelay to: 



C: '.Program Files 'FFRelay\ 



Change, . 



3** Nr-Xt 



After choosing the directory, click OK and the following dialog will be shown: 



j£l FFRelay Setup 

Ready to install FFRelay 



Click Install to begin the installation , Click Back to review or change any of your 
installation sett C :■: C-s - :el to exit the wizard, 



| uack |[ '^l|rs3l "| | Lance | 



Once the "Install" button is clicked, on Windows Vista and Windows 7, the UAC (user account control) 
popup will be shown and this needs to be allowed! 



User Accc 



. ' t Control l^^l 
., * j An unidentified program wants access to your computer 



Don't run the program unless you know where it':- from or you've used it 
before. 

rj~j| X:\sh a reWorkYTestlnstal I er\N EW\e. ,.\Rel ayln sta 1 1 er_2Z0_Vl ,msi 
™ — I Unidentified Publisher 

*> Cancel 

I don't know where this program is from or what it's for. 



•+ Allow 

I trust this program. I know where it's from or I've used it before. 



v Details 

User Account Control helps stop unauthorized changes to your computer. 
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Once "Allow" is clicked, the installation starts: 




Please wait while tine Setup Wizard installs FFRelay. 



| Bad: ]| Next ~| |T Cai ' r - e} 



During the installation, the installer will open Notepad with the relay.cfg file where the relay settings 
should be done: 



| rslay.cfg - Notepa 






file Edit Format 


View Help 





# configuration file for the Relay Module 

# list of ports for incoming (target-side) connections: 

CFG_TARfJET_ PORTS = 2000 

# Next hops to connect (relays, proxy) 
cfg_next_hop_1 = hostname, 2050 

# socket read/'write-timeout (in seconds) 

C F G_ S OC KET_TIM EO UT - 10 




Note: sometimes the relay.cfg file is opened behind the installer. 
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HI relay.cfg - WordPad UnnilBsg 
File Edit View Insert Format Help 

# Conf iguration file for the Relay Module 

1 list of ports for incoming [target-side) connections: 
C F G_TAR GET_ PORT S - 1111, 1112, 1113 

# Next, haps to connect; ( relays , proxy J 
CFG_HEXT_HOP_l = 192.168.0.49, 1111 

t socket re ad/write- timeout (in seconds) 
CFG SOCKET TIMEOUT = 10 



For Help, press Fl 

After editing the relay.cfg it needs to be saved and closed. The installer continues until the FinSpy Relay 
is installed. 





Completed the FFRelay Setup Wizard 

Click the Finish button to exit trie Setup Wizard, 




| Bade || Rniii I Cancel | 





The "relay.cfg" needs to be changed according to FinSpy Relay -Configuration Options . 



Exclusively supplied to and authorized use by oolice, intelligence, security, and other government agencies 



FinSpy / User Manual 



118 




3.2.3 Monitoring 

Along with FinSpy Relay comes also a FinSpy Relay Monitoring, which takes care of starting/stopping the 
Relay. If the FinSpy Relay crashes then the FinSpy Relay Monitoring will restart it. The FinSpy Relay 
Monitoring is a Windows-Service. If the FinSpy Relay Monitoring service is stopped, the service will then 
also stop the FinSpy Relay. If the FinSpy Relay Monitoring is started it will start the Relay. 

The FinSpy Relay Monitoring binary and service name is: FFRelayW(.exe) 

The FinSpy Relay binary name is: FFRelay(.exe) 

To control the FinSpy Relay Monitoring open the Services window: 

Control Panel\Administrative Tools\Services 



Fits Action View Help 

**imi 0 a us I B l 



. Services [Local) 



FFRelayW 

Stcpthes-er. 



\ Extended r { Standard / 



Startup Type Log On As 



DNS Client 


The DNSCIL 


Started 


Automatic 


Network Service 


■ Extensible -'Jthen 


. The Externa... 




Manual 


Local System 


:^Fbx 


En a h 1 fis you.. 




Manual 


Network Service 


1*3 FFRelayW 




Started 


Automatic 


Locail System 


Function Discover 

* \ 


. Host proces,, 


Started 


Manual 


Local Service 

[ nr s l Cmilr* 



Right-click on the Service and chose whatever action is needed (e.g. "Stop"): 



Services 
File Actio* 



Help 



> #1® □ a M B m\ & ■ ii i* 



-. Services [Local] 



Stop the serv 
Pause thesei 
Restart the s< 



\ Extended f,_ Standard / 



Name 



Description Statu; 
:V : DNS Client The DNS Cli... Started 

Extensible Authen... The Extensi,., 
v^Fax Enables you,., 



AGS 

Functi 



Log On As 
Network Service 
Local System 
Network Service 



Stai 



Resumi 
Restart 




Started Automatic Local Syst 



Started Manual Local Service 



If the FinSpy Relay Monitoring service is stopped, the Relay is also stopped. 

To start the FinSpy Relay Monitoring the FFRelayW service needs to be right-clicked and "Start" chosen: 
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To check if FFRelayW and FFRelay are running, the Task-Manager needs to be opened and the 
"Processes" Tab must be active: 

The FFRelayW process is running in the SYSTEM context as it is a service and because the FFRelay is 
started by the service it runs also in the SYSTEM context, meaning none of them run as the current user. 
In order to see all the processes running on a machine click "Show processes from all users": 



-B WindoursTask Manager 
File OptionE View Help 



| Applications | Processes Services Performance Netw orking | Users | 



regedit.exe 
iii&itJi- e: 
taskeng.exe 

T:\ieCi -Jpt.ese 
TS VNCad 



CPU Memory (Privat 



123 K 
240K 



636 K 
3,ISfK 
9,644 k 

644 K 

404 K 
1,492 K 

148 K 
2,038 k: 
1,764 K 



Threads USE." 



137 K 
454 K 

a&3tc 



191 K 
101 K 
U4K 

92 K 
142 If 
169 K 
122K 

119 K 



si 65 CPU Usage; 22% Physical Memory: 67X 



Now all the processes running on the machine will be shown, including the FFRelayW and FFRelay. 
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3.3 FinSpy Relay - Linux 
3.3.1 Prerequisites 

The software runs "out-of-the box" under normal circumstances. 



Name 


Description 


Hardware 


• minimal 256 MB RAM 

• recommended 512 MB RAM 


Linux Distributions 


• Ubuntu / Debian 


Software 


"monit" should be installed. 

http://mmonit.com/monit/ 
Further information can be obtained from the FinSpy Master section. 
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3.3.2 Installation 

To install the FinSpy Relay in Linux the Installer needs to be executed with "root" privileges. 
The filename is: ffrelay.ubuntu.2.xx.ggi 



rootSlocalhost : ~$ . /ff relay . ubuntu . 2 . xx. ggi 

FInstaller 1.0 



Extracting Installation Files... 

installer 

ff relay . ggi .tar 

Launching Installer. . . 

CDIR 

/home/ xaitax 
TMPDIR 

/tmp/ self extract . f YCZZ4 
Stopping FFRelay 

monit: generated unique Monit id xxx and stored to ' /root/ .monit . id' 
monit: service 'ffrelay' -- doesn't exist 
Extracting Software Files. . . 
./ 

. /usr/ 

. /usr/ local/ 

./usr/ local/ ffrelay/ 

./usr/ local/ ffrelay/ lib/ 

./usr/ local/ ffrelay/ bin/ 

. / usr/ local/ ff re lay/bin/ ffrelay 

./usr/ local/ ffrelay/ updates/ 

./usr/ local/ ffrelay/ data/ 

./usr/ local/ ffrelay/ data /relay. cf g_template 

./usr/ local/ ffrelay/ data/ version 

./etc/ 

. / etc/monit . d/ 

. /etc/ monit. d/ ffrelay 

. / etc/ init . d/ 

./etc/init.d/ffrelay 

Running Post-Installation Steps... 
Starting FFRelay 

monit: service 'ffrelay' -- doesn't exist 
FFRelay Installer done. 



Exclusively supplied to and authorized use by ooiice, intelligence, security, and other government agencies 



FinSpy / User Manual 



122 




The only thing which needs to be done after installation is to rename the configuration file so that it is 
accepted by the FinSpy Relay. 



# cd /usr/ local/ ff relay/data/ 

# cp relay . cfg_template relay. cfg 



The "relay.cfg" needs to be changed according to FinSpy Relay -Configuration Options . 
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4 FINSPY HARDWARE SETUP 

It is necessary to know how the FinSpy Setup needs to be configured in detail. The following chapter will 
give an inside view into the FinSpy periphery. 

4.1 FinSpy Total Setup 

The following diagram gives a detailed view into the FinSpy Hardware setup. 




Type G Type G 
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4.2 FinSpy Master Setup 

The following diagram gives a detailed view into the FinSpy Master Hardware setup. 



FinSpy HQ Server 
(Front Sl Rear View) 



Avocent 17" 
LCD / 8s KVM 



2x 
I EC 320 
CIS / C14 



1 



lx KVM-Cable 
VGA and USB 



Internet 



Ik 10D0BASE-T 
Copper RJ45 (BP8C) 
(Internet connection! 



IEC 320 
C14 



3k Power Cable 
(220-240 VAC; 50/60 Hz) 



Ik USB 



Type A & B 



Optional lx 1000BASE-T 
Copper RJ45 (SPBC) 
Lone-way" to a Monitoring Center) 



: OS 



Id I 



A PC Smart-UPS 1000 



Ik Power Cable 
(110-240 VAC; 50/60 Hz) 



Ik 100BASE-T 
Copper RJ45 (8PBC) 
(from/to Workstations) 



Type S 



:::::: ; 



lx Power Cable 
(110-240 VAC; SO/GO Hz) 



HP PraCLirve21Z4 



Type G 



4.3 FinSpy Agent Setup 

The following diagram gives a detailed view into the FinSpy Agent Hardware setup. 



FinSpv Workstation 
(Front View) 



lx Power Supply (100 - 240 V AC) 
with cable IEC CS f Type 5 



l_Ligit«h 
Heather. 




TypcG 
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5 SUPPORT 

All customers have access to an after-sales website that gives the customers the following capabilities: 

• Download product information (Latest user manuals, specifications, training slides) 

• Access change-log and roadmap for products 

• Report bugs and submit feature requests 

• Inspect frequently asked questions (FAQ) 
The after-sales website can be found at 

• https://www.gamma-international.de 

o Username: 
o Password: 
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Fin Spy 
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FINFISHER: GOVERNMENTAL IT INTRUSION 



AND REMOTE MONITORING SOLUTIONS 



Home » Products » FinSpv 



QUICK INFORMATION 








Remote Computer 
Monitoring 


Content: 


Hard- and Software 



FinSpy is a field- proven Remote Monitoring 
Solution that enables Governments to face 
nowadays challenges of monitoring Mobile and 
Security -Aw a re Targets that regularly change 
location, use encrypted and anonymous 
communication channels and reside in foreign 
countries. Traditional Lawful Interception 
solutions face new challenges that can only be 
solved using active systems like FinSpy: 

• Data not transmitted over any network 

• Encrypted Communication 

• Targets in foreign countries 

FinSpy has been proven successful in operations around the world since many years and valuable 
intelligence has been acquired about Target Individuals and Organizations. 

When FinSpy is installed on a computer system or mobile phone it can be remotely controlled and 
accessed as soon as it is connected to the internet/ network, no matter where in the world the 

Target System is based. 

Usage Example 1: Intelligence Agency 

FinSpy was installed on several computer systems inside Internet Cafe's in critical areas in order to 
monitor them for suspicious activity, especially Skype communication to foreign individuals. Using 
the Webcam, pictures of the Targets were done while they were using the system. 

Usage Example 2: Organized Crime 

FinSpy was covertly deployed on the mobile phones of several members of an Organized Crime 
Group. Using the GPS tracking data and silent calls, essential information could be gathered from 
every meeting that was done by this group. 

Download Catalog: Fin5py-Car.alog.pcf [352 KB) 

Download Specifications: FinSpy- 2. 20- Specif icatiDns.pef [2.3B MB) 

Download Video: FinSpy-Video.wnv [4.6B MB) 



Copyright © 2010 Gamma International GmbH. All Rights Reserved. 



Site Map 



Exclusively supplied to and authorized use by oolice, intelligence, security, arnj other government agencies 



GAMMA INTERNATIONAL 
United Kingdom 



Tel: +44- 1264 - 332 411 
Fax: +44 - 1264 ■ 332 422 



WWW. GAM MAG ROUP.CDM 



i nf oifrgam mag rau p.-co m 



